Cross-App Resource Access (XARA)

elteleltel Junior Member
edited June 2015 in Lounge

Can you please comment on this report in "The Register" http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/

More importantly can you clarify your response on that site viz "AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware "work harder" some four months after disclosure."

Are you saying that the 1password.agilekeychain is currently vulnerable to these possible malware attacks?

Thanks


AgileBits Update: Please be sure to read our blog post about this issue which explains the situation in much greater detail: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/

«1345

Comments

  • brentybrenty

    Team Member

    More importantly can you clarify your response on that site viz "AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware "work harder" some four months after disclosure."

    @eltel: I'm not entirely sure what this sentence even means, but suffice to say that if the system is compromised (your computer or mobile device), it is no longer yours. This is what "pwnd" ("owned") means: the system belongs to the attacker. At this point, all bets are off.

    However, an attacker still needs to be able to decrypt your data. But your vault is encrypted! Sounds good, right? Except if they have control of your system, no amount of security can prevent them from "seeing what you see". If you do not access sensitive information (such as you probably store, encrypted, in 1Password), it remains secure, because your data is encrypted. However, in order for you to access your data, it must be decrypted; and at this point the new "owner" of your computer can access it too. Turn off your computer and put it in a closet, and your secrets will be safe; access your secrets, and the "owner" of your computer can access them as well.

    Are you saying that the 1password.agilekeychain is currently vulnerable to these possible malware attacks?

    No. Malware isn't going to decrypt your data. Not a prayer. Malware is going to try to get you to decrypt your data for them. Don't let it happen.

    Ultimately this is no different than any other case of a system being compromised, with one key difference: when an attacker gains access to your system they can access anything the operating system itself (under your user account) has access to. But since 1Password encrypts your data independent of the operating system, the operating system cannot decrypt it or otherwise allow de facto access to the data.

    Significantly, Agile Keychain is not the same thing as (or even peripherally related to) the OS X or iOS Keychain, which is (are?) the subject of the article.

    But most importantly, your 1Password vault can be targeted by the same brute force attacks regardless of platform or location: that is to say, the only way to decrypt your data is using your Master Password, so -- as always -- if an attacker can get both your data and your Master Password, or simply get you to unlock your vault for them while they have access to your system, then they can absolutely access your data. This is true of anything, and probably always will be. After all, malware can even disable your security software once it has control of the system.

    And how does this happen? An attacker would have to work far too hard for far too long in hopes of brute-forcing your encrypted data, so ultimately you and I will always be the weakest link in our own security. Getting us to execute malicious code on our own systems is the only hope an attacker has of getting at our data in their lifetime, provided we use long, strong, unique Master Passwords.

  • Apparently there is a major security problem with the Apple Keychain:

    http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/

    "AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware "work harder" some four months after disclosure."

    Is 1Password vulnerable? What action should I take to protect my 1password keychain?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • I'd also like to know if 1Password is vulnerable - I use it for literally every account I own so all eggs are in the same basket.

    Please provide an update ASAP.

  • This is also being discussed in the Lounge section of the forum, where @brenty recently posted some useful perspective. You can read his post here.

  • sandymcsandymc
    edited June 2015

    I've read the original PDF provided by the researchers. Here's the situation as I understand it, as it applies to 1Password:

    1. The attack described is on 1Password on the Mac.
    2. The attack is not actually directly against the app itself, but rather against the associated browser extensions. So there's no suggestion that your keychain can be read directly
    3. However, any userid/password pair that is filled in via a browser extension can be recorded.
    4. The attack has been demonstrated against the browser extensions for all of Chrome, Firefox and Safari.
    5. In very simplified form, the vulnerability is that a malicious app can in effect "listen in" on the conversation between the browser extension and the 1Password app, so recording the user id/password. For this to happen, the malicious app needs to be run before 1Password.

    For this to happen:

    1. You need to have downloaded and run a malicious app (the researchers claim to have successfully got such an app onto the Apple App Store)
    2. You need to be using a browser extension.

    In the short term, if you're worried, disabling the browser extension would seem like the best bet.

    But I agree with the original poster - a comment from Agile Bits would be a good thing.

  • primeprime
    edited June 2015

    I just saw this posted on MacRumors also. It seems like it's getting harder and harder to protect our info.

    http://www.macrumors.com/2015/06/17/ios-osx-cross-app-keychain-security-flaw/

  • logocoplogocop Junior Member

    An article in The Register today (http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/) says a new exploit makes it possible to "crack Apple's keychain, break app sandboxes and bypass its App Store security checks so that attackers can steal passwords from any installed app including the native email client without being detected."

    Especially troubling is this line in the article: "AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware 'work harder' some four months after disclosure." [The exploit was disclosed to Apple 6 months ago, apparently without a fix yet.] Obviously one sentence can't tell the whole story, so I would really like to hear what AgileBits has to say about this. Thanks.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Having read the Lounge comments by @brenty my take-back is that he needs to read the research paper and reconsider his remarks. The attack vector is not against the 1Password vault, it's targeting the (unencrypted) exchange of information between the 1Password browser extension and the browser. That may be a very difficult problem for an extension to handle, more likely something that needs to be fixed either within the OS (not allow the malicious app to install itself) or within the browser.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited June 2015

    Hi all,

    We've had long conversations over the past several months with Luyi Xing and his team that analyzed these problems and have looked at their demonstration of attacks against the communication between the 1Password Browser Extension and 1Password Mini. They have been excellent at providing us with details and information upfront.

    What makes this particular attack more worrisome than other attacks that depend on malware running on your system is that the malware in this case does not need to be "admin" or "root".

    As always, we are limited in what we can do in the face of malware running on the local machine.

    The threat

    The threat is that a malicious Mac app, if it gets the timing right, can pretend to be 1Password Mini as far as the 1Password Browser extension is concerned. It can therefore collect Login details sent from the 1Password Browser Extension to the fake 1Password Mini. Thus, it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

    Note that their attack does not gain full access to your 1Password data, but only to those passwords being sent from the browser to 1Password Mini. In this sense, it is getting the same sort of information that a malicious browser extension might get, whether or not you use 1Password.

    Background

    Obviously we would want the Mini and the Extension to only talk to bona fide versions of each other, and this becomes a problem of mutual authentication. There should be some way for Mini to prove to the extension that it is the real Mini, and there should be a way for the extension to prove to Mini that it is a real 1Password extension.

    One difficulty that we face is that we have no completely reliable mechanism for that mutual authentication. Instead we employ a number of separate mechanisms, each with its own weaknesses.

    What can be done.

    Neither us nor Luji Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But there are things that can make such attacks more difficult.

    What you can do

    1. Check "Always Keep 1Password Mini Running" in Preferences > General.

      In the specific attack that Xing Luyi demonstrates, the malicious malware needs to be launched before the genuine 1Password Mini is launched. By setting 1Password Mini to always run, you reduce the opportunity for that particular attack.

    2. Pay attention to what you install.

      As always be careful about what software you run and install on your system. Enable Gatekeeper.

      However, this provides no guarantee of safety as Xing demonstrates that they were able to get a malicious app approved by the Mac App Store review process. I do expect that since then Apple knows what to look for.

    What we can do

    There are other (defeasible) mechanisms that we can add to our attempts at mutual authentication between extension and Mini. One of them is to have a shared obfuscated key in both mini and the extension. (Remember, that the browser extension never sees your Master Password so any secret it stores for authentication cannot be protected by your Master Password.) Obfuscation only makes things a bit harder for attackers until someone breaks the obfuscation (which we must assume will happen.)

    We could also make use of the OS X keychain for storing tokens for mutual authentication, but that would only work with some browsers.

    In the extreme case, we could have some explicit user pairing (sort of like Bluetooth) between Mini and the extension, but that would need to be done every time either the browser or Mini is first launched.

  • Thanks for the update.

    Personally, I'd like to see explicit pairing option implemented as an option (asap), if that's the simplest solution that offers full protection. If it's a real vulnerability, then there should be an option for dealing with it, regardless of how inconvenient.

  • hawkmothhawkmoth
    edited June 2015

    @jasnw - I'm no expert, but I thought @brenty's discussion was fairly clear that the threat was capturing activity on the computer, rather than a direct attack on the 1Password vault itself. But if that isn't clear, it is true and maybe could use some additional emphasis.

    Edit: there now is a post from AgileBits's security guru that is more detailed and perhaps more informative. It's here.

  • elteleltel Junior Member
    edited June 2015

    @jpgoldberg - thanks for the comprehensive update. I'm with @sandymc regarding the explicit pairing solution. In the meantime I'm disabling Safari and Chrome 1PW extensions and copying and pasting passwords via the 1PW mini app icon in the menu bar. Paranoia maybe and far from ideal or convenient as new logins and password changes need to be managed manually via 1PW but until I can be certain this is fixed either by Agilebits or Apple I'm happy to do that.

  • logocoplogocop Junior Member

    AgileBits posted a response in another thread that asked the same question, here.

  • srigginssriggins Member
    edited June 2015

    So this affects interapp communications as well as OS Keychain saving?

  • @jpgoldberg: A shared obfuscated key would require that such malware target 1Password specifically though, wouldn't it? Could you set a shared key like you do for the WiFi sync, setting a unique key per user that persists between reboots and login sessions, only needing to be updated when the application version changes?

  • casperghst42casperghst42 Junior Member

    Hi,

    In this article: http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg AgileBits is quoted to say that you had problems stopping the attacks.

    Now the questions is; does the latest version of 1Password stop malicious applications from getting to the secure data ?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Why no information on this directly from AgileBits?

    My question is: Is it only App Store version which has the vulnerability? -OR- is it both versions??????????

    I need to know ASAP.

    This is extremely disappointing to learn about about this from the media and not directly from agliebits, considering you've known about this for over 4 months. Agile?

  • MrCMrC Community Moderator

    @casperghst42 and @EuroTrash

    No need to panic. See this thread.

  • casperghst42casperghst42 Junior Member

    @MrC, thank you.

  • @MrC, Thanks for your snarky reply. I'm upset and disappointed not panicked.

    That thread isn't visible on the OSX forums (and doesn't address my concerns). Krebs on Security, 9to5mac and the Register are reporting 1password is vulnerable and the Agile response is in the hidden in the lounge? Thanks.

  • If we don use the password extension are safe?

  • I think the AppStore issue deserves a comprehensive explanation.

    The issue isn't about a system being pwnd (is it? ) ... I'm not sure how being pwnd is relevant? My understanding is there is a specific vulnerability. It sounds like the are several security issues being tossed around here.

    If 1password mini can be faked (App Store issue? ) why can't it get my vault password and with it the all keys to my kingdom? It also sounds like any browser extension could be stealing any passwords I use as well.... shouldn't watchtower be addressing browser extensions?

    Does this affect 1password5 bought directly from AgileBits or just the AppStore version? (Sounds like both....)

  • With the recent hack of LastPass servers - perhaps I am a attuned to this type of thing, but: Would AgileBits care to comment on the subject article posted by Brian Krebs (http://krebsonsecurity.com)? "AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware ‘work harder’ some four months after disclosure.”


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • sandymcsandymc
    edited June 2015

    What can be spoofed is only the communication mechanism between the extension and the 1Password app. So if a malicious app runs before the 1Password app and extension, it can insert itself into the middle of the communication channel. The malicious app doesn't replace or compromise either the browser extension or the main 1Password app, it just gets in between them, and can record information passed between them. The researchers identified a number of other possible vulnerabilities relating to OS X, but based on what is in the article, this appears to be the only vulnerability that impacts on 1Password. There doesn't seem to be any reason why this would not equally impact on both the App store and directly purchased versions.

  • MrCMrC Community Moderator

    @EuroTrash,

    Sorry you took it that way, and it absolutely was not mean as anything other than a reference to a thorough reply from the security experts at AgileBits. You seemed very worried, so wanted to allay your concerns or fears.

  • nevnev Junior Member

    This. This. This.

    Answers required !

    macrumors.com/2015/06/17/ios-osx-cross-app-keychain-security-flaw/

    "...inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits"

  • nevnev Junior Member

    This all sounds hideous and I'm going to buy a stack of paper and a crayon

  • brentybrenty

    Team Member

    Could you set a shared key like you do for the WiFi sync, setting a unique key per user that persists between reboots and login sessions, only needing to be updated when the application version changes?

    @sindarina: The problem is that this would still be stored on your computer unencrypted. And if it is controlled by someone other than you, they'd also have it.

    Your data is safer if you simply give your computer with encrypted data to a hacker than if your system is compromised and you continue with business as usual.

  • Team, please see AGBit's reply to my question, posted by another user, under "Apple CORED" just prior to my post.

  • "Any" malicious app installed on the Mac can intercept/spoof 1Password Mini -to- 1Password Extension communication, not just App Store Apps, correct? In other words, The malicious app doesn't have to be an AppStore app in order for this attack to work, correct?

    Does a malicious app need additional permissions (keychain access etc.) to carry out this attack or simply being installed enough?

This discussion has been closed.