Malicious website spoof 1password mini dialog
What if anything prevents a malicious website from creating a fake 1password mini box that might trick a user into entering their master password?
In the past the 1password mini dialog would show in the top right of the screen so I at least knew a website couldn't be making a fake windows since it was partially outside the browser html rendered area.
Lately the 1password dialog is centered over the browser so it seems possible to make a very authentic looking dialog via html/javascript to capture a users credentials.
It seems like the only defense is to not use 1password mini? This seems like an obvious issue so if it's already been discussed I'd appreciate a link to the discussion.
Thank you,
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: MacOS
Sync Type: Not Provided
Referrer: forum-search:Malicious website spoof 1password mini dialog
Comments
-
@DaGreek211 -- Excellent question! The short answer is: your own good judgment.
One of the things you will hear if you spend enough time in this forum is that security is process, not a product. If there were one product - ANY single product, 1Password or otherwise - that could protect users in all circumstances from all threats, everyone would already own it, and security would be both simple and uninteresting, at least for the user.
Of course, as you're well aware, that's not the case - we provide a key tool users can employ as part of their overall digital security, and we provide a number of safeguards within 1Password itself to avoid spoofing of a legitimate process. But we can't control what either users or attackers do outside of 1Password. For instance, there is the extension authorization process that prevents a malicious extension designed to look like 1Password from stealing credentials in the browser. But if a malicious website goes to the trouble of creating a fake copy of what appears to be a locked 1Password mini, and you enter your Master Password into it, even with 1Password running on your computer at the same time, we would have no way to know what's going on between you and your browser.
In such a case, you have to rely upon your own judgment and remain vigilant, in the same way we've all learned not to click on .doc or .exe attachments to emails we receive even from people known to us, as they may have been phished or otherwise hacked. In the case you imagine, you'd want to ask yourself: is this actually 1Password? Why is it asking for my Master Password at this particular time? The only time I should see a legitimate pop-up from 1Password of that sort would be if I had typed the Fill keyboard shortcut (⌘+\) or clicked the browser extension or mini while 1Password was locked. Did I do that? If not, why am I being asked for my Master Password in this website? Can I drag the (fake) 1Password window outside the confines of my browser window, or is it a page element? This is the kind of general awareness of one's surroundings that helps keep one from getting taken in by a generic attack (i.e. - not targeted directly at you) of the sort you've described.
As people dedicated to helping users improve their digital security, the above isn't easy for me to write, because I think most of us secretly wish we could give you a product that would keep you safe at all times...but it's just not achievable in the real world. Your Master Password is quite literally the key to all your 1Password data; you should make doubly-certain each time you enter it that you're typing it only into 1Password. And you should probably consider trying to avoid frequenting the kinds of websites that might attempt such an attack on its own visitors. :)
ref: OPX-1411
0 -
@Lars I agree with everything you said but I do think it is possible to partly mitigate this issue. If your always present the 1password mini UI overlaying the browsers bezel then it would not be possible for a website using HTML/CSS/JS to mini that position on the screen.
This might not stop a bad extension?
Is it possible for a bad website to listen for the (⌘+) command and pop a fake one at that time? Does 1password prevent browsers from receiving that particular keyboard combination?
0 -
@DaGreek211 -- I actually goofed -- the keyboard shortcut is
⌘+\(command-backslash), now fixed in that reply. But to try to address that question, 1Password's extension "listens" for that keystroke combination (and others) when the browser is the front-most application. I'm not 100% certain about this, but it may be possible a site could be configured to pick up that keystroke combination as well, but because the process called by a genuine invocation of the 1Password mini/extension is outside of the browser's control, the most that might happen (to the best of my knowledge) is that you might see both things: the genuine 1Password mini window as well as whatever the website tried to display. That alone should be a tip-off that something is very wrong. It's still an area where a less-sophisticated user might become confused or even enter information into a malicious pop-up, which is why we continue to think about what kind of countermeasure we might be able to come up with that would be effective, reliable, not too intrusive and without adding additional potential confusion for the user.in fact, something like what you're proposing here is among the ideas we're thinking about in regard to mitigating this. Like with a lot of things, there's more than it might seem that has to be taken into account when considering making changes to how 1Password looks or (especially) behaves. How many people will it affect? What is the real-world likelihood of a particular threat, and how effective would this particular mitigation be? How much work will it take to make the change and what else will we be putting off or abandoning if we do this instead? Those are just a few of the issues we need to take into account before making any particular moves.
0 -
Sounds reasonable. I can think of a lot of cases were window position (fullscreen) another things might interfere with preferred pop up location. I'm happy this is already under discussion.
0 -
@DaGreek211 -- yup, definitely. I must sound like a broken record to anyone who keeps up to date with posts on this forum, but I'll say it again: keep an eye on updates, and thanks so much for being part of a user community that thinks deeply about these things and cares enough about not only their own security but the direction of 1Password to take the time to share your ideas with us. Cheers!
0
