The "1Password sends your password in clear text" article

jhonatanoliveira

Hello.

Today I came across this article: https://medium.com/@rosshosman/1password-sends-your-password-across-the-loopback-interface-in-clear-text-307cefca6389#.74bgvehss

The author, in resume, says "1Password sends your password in clear text across the loopback interface if you use the browser extensions.", which is a serious issue.

As a 1Password user I am very concerned about this fact. If this is true, should I uninstall the Chrome extension?

Please, can you kindly clarify this for us.
Thank you.
Best regards.

---

1Password Version: 6.1
Extension Version: 4.5.3.90
OS Version: 10.11.3
Sync Type: Dropbox

Ben

Hi @jhonatanoliveira

Thanks for taking the time to write in about this! The short answer here is that the kind of sniffing on the loopback interface that the author describes requires privileged access to your computer. Our Chief Defender Against the Dark Arts has written up a detailed reply here:

[Disclosure: I work for AgileBits, the makers of 1Password] — Medium

It is up to you of course, but I'm certainly going to continue to use the browser extensions.

I hope that helps. Should you have any other questions or concerns, please feel free to ask.

Ben

jhonatanoliveira

Hello, Ben.

Thank you for replying with a detailed description and a reply for the post.
I am no specialist in the area so, as a client, I choose to believe on the safety proposed by AgileBits.
I just wanted to clarify it, since this topic is right now at the top of the famous discussion forum Hacker News (see https://news.ycombinator.com/item?id=11212002).
I thought it could be something serious.

I will keep my extension, then.
Thank you again.
Best regards.

Jacob

@jhonatanoliveira Sounds great! I'm keeping my extension too. :)

gabrillo

Hi,
I've been reading this:

https://medium.com/@rosshosman/1password-sends-your-password-across-the-loopback-interface-in-clear-text-307cefca6389#.at6uf7pjp

in which the poster claims that the browser extension and the application communicate via the loopback interface, sending cleartext logins and passwords through the local network.
Is this a real issue? I'm a sysadmin and I can't see this as a major threat, since if someone can snoop your loopback to loopback communication it means your computer is already compromised at some level, but I'm wondering if I should be concerned and/or if there is some plan on implementing application-extension encryption instead of sending login information in cleartext.

Thank you!

---

1Password Version: 6.0.2
Extension Version: 4.5.3.90
OS Version: 10.11.3
Sync Type: dropbox

NightHawkHat

I came here for the same reason. I'm not qualified to judge the gravity of this. I saw the words cleartext and passwords and it got my attention right away.

What's up here, agilebits?

xparrot

https://medium.com/@rosshosman/1password-sends-your-password-across-the-loopback-interface-in-clear-text-307cefca6389#.f883qom44

I count on 1password to be secure. Is it?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Ben

Hi @xparrot,

I've merged your thread with another on the same topic.

The short answer is that yes. It is. Please see above. :)

Ben

hawkmoth

There was another discussion,about this in the forum today. It's a helpful thread, which includes links to more security discussion. Here is where to respond that: https://discussions.agilebits.com/discussion/60026/the-1password-sends-your-password-in-clear-text-article

jxpx777

Thanks for sharing that link, @hawkmoth. Just for posterity, I also want to make sure folks see @jpgoldberg's reply post on Medium. Thanks, guys!

drechsau

1Password communicates in cleartext when filling in logins via browser extensions!

Help me!

Last night I had tweeted about how happy I was with 1Password for Families after I had gotten my wife set up. Already using it (1Password for Teams) for my small business and looking forward to implementation later on with my customers.

I was completely surprised this morning when someone responded to my tweet asking if I had seen this article:

1Password sends your password across the loopback interface in clear text

so I decided to check it out myself! Launched Safari, popped over to GitLab, and hit the magic buttons.. Watched my packet capture and I was taken aback at the output.

Command: sudo tcpdump -i lo0 -s0 -A port 6263

returned lots of things, including what I did not want to see - the password in cleartext.

08:17:09.858601 IP localhost.6263 > localhost.52183: Flags [P.], seq 298:990, ack 6587, win 11427, options [nop,nop,TS val 1274368990 ecr 1274368960], length 692 E....[@.@............w..ICh...}...,........ K.S.K.S..~..{"action":"executeFillScript","payload":{"script":[["click_on_opid","__2"],["fill_by_opid","__2","myemail@g.....org"],["click_on_opid","__3"],["fill_by_opid","__3","__thiswasmypassword!__"]],"autosubmit":{"focusOpid":"__3","helper-capable-of-press-enter-key":true,"submit":true},"nakedDomains":["gitlab.com"],"documentUUID":"XXXXXXX","properties":{},"fillContextIdentifier":"{\"itemUUID\":\"XXXXXXX\",\"profileUUID\":\"XXXXXXX\",\"uuid\":\"XXXXXXX\"}","options":{"animate":true},"savedUrl":"https:\/\/gitlab.com\/users\/sign_in","url":"https:\/\/gitlab.com\/users\/sign_in"},"version":"01"}

Now, to be clear, I do understand that most users systems are single user and it would take a black hat person a little more work to get into the system and start the packet tracing.

But isn't this exactly what malware does? And Agilebits has just given the malware providers something of great value: passwords..to..everything!

Yeoch.

Help me!

Edit 1: Well, communication with the helper app is supposedly authenticated and secure but I would disagree with that.

Edit 2: 1Password has a blog post about this as well but that is no reason to at least do TLS in my opinion.

ref: FYF-29189-853

---

1Password Version: 6.0.2 App Store
Extension Version: 4.5.3
OS Version: 10.11.3
Sync Type: N/A

AGAlumB

@drechsau: I hope you don't mind, but I've merged your post with the existing discussion on this particular article.

There are some great comments on the Medium post you linked, both from @jpgoldberg (AgileBits' Chief Defender Against the Dark Arts) and other knowledgable folks. There was also a great parallel discussion a few days ago about the article on Y Combinator/Hacker News.

Unfortunately TLS isn't really a solution, because the extension still has no way to validate mini. It's certainly something we've considered, but a bad mini could just as easily provide the same functionality that the extension expects.

I think the key takeaway from these discussions is that no one should (or would — not even you) have access to loopback traffic through tcpdump unless your system has been setup explicitly to allow this. If you're doing it (by allowing Wireshark to reconfigure things) you need to be be aware of the potential consequences from a security standpoint (were your system to be accessed by someone malicious with your privileges); and if someone else is able to do this, they already own your system and all bets are off anyway. :dizzy:

drechsau

I read all of those items - thanks for sharing though!

Cloudflare has keyless SSL in operation and could be a hint towards a solution.

The part that is probably missing is the validation (or authentication) of the presented security layer and that's where things get difficult. Hopefully the above can help a bit.

Something >> nothing in this case. Not saying obfuscation is correct if only because that's not really any layer of security but anything will be helpful.

Any multiuser system is going to have much larger issues and as you break into the enterprise and people are using RDS servers with their 1Password application then what will happen? I see all kinds of issues with the idea of scalability anyway but if the data continues to be in cleartext then there will be problems from the security side of the house.

This was found on a Mac and Macs are primarily single user systems (iOS as well) but what happens if/when you do your Linux port? Now back to potentially multiuser and open to another whole slew of yahoos and fanboys that will cry foul.

Malware is coming to OS X and when it does the internet will cry for a few days. People are trained to just enter their password when prompted by modal dialogs because they downloaded something. Then what?

Edit: From HN pointing out things on the Agilebits website.

drechsau

BTW: I have no issue with the merging. I am far more interested in the discussion.

jxpx777

Hi, @drechsau. I've asked one of our security folks to take a look at this keyless SSL idea and they should be back with you soon. Thanks for your interest in this discussion!

LosInvalidos

Dear AgileBits team, what's the official response, other than "read our documentation" to the finding, that passwords are transported in cleartext when Browser extensions are used?
https://medium.com/@rosshosman/1password-sends-your-password-across-the-loopback-interface-in-clear-text-307cefca6389#.xzcp589iu

I understand this is "only" a problem, if the machine running 1P is already compromised. But wouldn't it in any case be better to still transfer the passwords in encrypted form? If so, is there a ticket already in your bug database and again if yes, what item number does it have?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

jxpx777

Hi, @LosInvalidos. I've merged your post in with another thread about this issue. Please give this thread a read, especially the post that @bwoodruff linked to. I hope that helps, and let us know if you have any additional questions.

--
Jamie Phelps
Code Wrangler @ AgileBits

LosInvalidos

@jxpx777 The details on the decision against encrypting that local traffic are rather sparse. Maybe for this very important matter it would be nice to elaborate in greater detail? Jeffrey is doing that in his responses on the article, so that is great. A write up or update to the 2015 blog post from AgileBits would be highly welcome.

Edit: I also admin that the complexity of this issues is beyond my IT skills. So the argument of "if machine is compromised, there's far greater issues than 1P local traffic happening in cleartext" may be valid and correct. But if there's any option this can be made more secure, it's well worth spending brain cycles on that.

But naturally there are limits to any security measure.

jxpx777

@LosInvalidos We're certainly discussing our path forward on this front internally. It's a hot topic for us right now and we're discussing a few different possibilities. What we don't want is to give the false impression of security that isn't there. It's been stated elsewhere, but we don't want to simply obfuscate the traffic with a shared key because there's nowhere safe to store that key.

Public key cryptography doesn't help either because the public key has to be stored somewhere if we approach it as a trust-on-first-use situation or you have to manually approve the connection between 1Password and the browser each time they connect, which would be a nightmare of customer annoyance. Moreover, it doesn't actually protect things that much because the bad mini can simply lie to the browser about its identity, give the browser extension its own shared key, etc.

If your machine is compromised, there are much better ways for the attacker to gain access to your 1Password data than inspecting the loopback traffic, and giving users a false sense of security because the traffic doesn't immediately look intelligible would be a mistake and is not a path we want to go down.

AGAlumB

@LosInvalidos: And as mentioned earlier in the discussion (which of course you're new to, so no worries!) access to this traffic is not even possible unless an administrative user (i.e. the guy who wrote the article) modifies the system to allow access to it (in this case, he provided his admin credentials to allow WireShark to make this change on his behalf):

I think the key takeaway from these discussions is that no one should (or would — not even you) have access to loopback traffic through tcpdump unless your system has been setup explicitly to allow this. If you're doing it (by allowing Wireshark to reconfigure things) you need to be be aware of the potential consequences from a security standpoint (were your system to be accessed by someone malicious with your privileges); and if someone else is able to do this, they already own your system and all bets are off anyway. :dizzy:

So none of us are susceptible to this unless either we break the system's security ourselves or provide another entity with the means to do so. That doesn't mean that we're not interested in finding ways to improve security, but in the end 1Password will still never be able to protect us from ourselves, and we don't want to provide a false sense of security, only the real thing.

jxpx777 also made a great point about cryptography, and I wanted to to bring it back: storing the keys on the device is why DVD encryption was cracked. :pirate:

eafernandes

I will turn things as simplest as possible here. You decide to close all windows, doors and holes in your home with wood in order you can walk naked within. You contract Agile Bits to do that service. Agile Bits does the most perfect service and closes all the windows, doors and any other hole existing in your home. Then, some days later you allows that a locksmith come to your home to execute some service. By an oversight you leave the locksmith alone for five minutes and it takes to install hidden cameras in your home. After a few days, her naked pictures leaked to the public. A garbage magazine records the fact and says that Agile Bits did'nt execute the service correctly because you've been seen naked by millions of people. This is the story.

AGAlumB

@eafernandes: Thanks! That's definitely a provocative story, but not quite analogous to what we're talking about here. If we amend it to say this instead, it will be a more accurate analogy (though still imperfect, due to the differences between digital and physical security):

You decide to close all windows, doors and holes in your home with wood in order you can walk naked within. You contract Agile Bits to do that service. Agile Bits does the most perfect service and closes all the windows, doors and any other hole existing in your home. You decide to knock down a wall and build an addition. No one is contracted to secure it. Then, some days later you allows that a locksmith come to your home to execute some service. By an oversight you leave the locksmith alone for five minutes and it takes to install hidden cameras in your home. After a few days, her naked pictures leaked to the public. A garbage magazine records the fact and says that Agile Bits did'nt execute the service correctly because you've been seen naked by millions of people.

As mentioned above, users making modifications to overall system security is what creates the vulnerability in this case. It's more than a little bit ironic in the sense that the very act of trying to probe the security is what breaks it. Fascinating. :)

eafernandes

Haha. Good amendment @brenty. As I read some days ago, "people should understand that it must exist a compromise between security and convenience".

AGAlumB

@eafernandes: In many ways, 1Password offers the best of both worlds: security and convenience. But you're absolutely right that it is often a struggle to reconcile these two. There are always new threats, but we're also continually working to improve 1Password in both respects — or at the very least to strike a good balance. Cheers! :)