Is 1Password vulnerable for website key logging scripts?

I read a Dutch article about how a lot of popular sites use session scripts to track what users do while visiting, often including logging every keystroke. It's based on an English article: https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

I have often wondered if it's possible for a script on a website to record the 'opening' / master password of 1PW? Specially since the browser is the main, active application at that moment.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • littlebobbytableslittlebobbytables

    Team Member
    edited January 2018

    Hi @laptopleon,

    While I would certainly defer to any situation where @jpgoldberg corrects me, I don't believe 1Password is at any risk. On Macs we use the secure input that disables all listening, even the normally benevolent kind like TextExpander or similar and while I'm much more hazy about specifics on Windows the fact is even though the browser is still the active app the focus is off it. I may have misunderstood the article but it does seem to be about events inside an actual page. This would "limit" the vulnerability to anything entered into the page which still makes for grim reading if misconfigured.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    To add to what Lil' Bobby said, I'll add a little bit about this article in particular and the web as an environment in general. The web is an inherently hostile environment. Unlike native applications that you download and install, there's no way to validate the code that your browser is executing. Whenever you visit a website, you're implicitly saying, "I trust whatever code this site is going to shove into my browser."1 When you add to this that companies liberally include third-party code for ad networks, trackers, beacons, analytics and the like, you can see how the purposes of those different parties can be at odds with each other. In the case of this article, when you type your credit card in at Bonobos, you're also trusting Bonobos not to expose this information to other parties, which they are clearly failing to do.

    The way that we have to look at this is by asking a) whether using 1Password increases the exposure to the issue at hand and b) whether using 1Password provides any benefit to avoid the issue.2

    In this particular scenario, it depends heavily on how the page reacts to the way that 1Password fills your information when you ask it to. 1Password uses Javascript to set the values of fields directly rather than using the clipboard or trying to mimic keystrokes. But, in order to help 1Password work with sites where some validation is needed in order to allow the form to be submitted, 1Password also simulates some events to tickle the page to do its thing. So, the user says to fill and 1Password tickles the page, sets the fields to the new values, and then tickles the page again. This tickling phase could trigger these scripts to perform their collection. That being said, using 1Password to do this field value changing does not add to the exposure because if you manually type your information into the page, you will be in the same boat.

    But does 1Password provide any benefit? Potentially, yes. If the tracker is doing a half decent job of automatic sanitization of the data, then when 1Password sets a field's value with (for example) your credit card number, it does so in one fell swoop. So, rather than having separate keystrokes for 4, 1, 1, 1… as shown in the example in the article, 1Password says, "This field is the credit card number and its value is 4111111111111111" Once 1Password has set the value, it tickles the page saying, "OK, we 'pressed' some keys on the keyboard and removed focus from the field!" If the page is listening to these events (It seems they are…) then the listener will get only a single event and when the listener looks at the field, it will see a 16-digit value starting with 4, which would be a pretty good indication that this is a full Visa account number that should be sanitized. If they are doing this at a minimally competent level, then 1Password's setting of the field value directly in a way that doesn't trigger the site into "hearing" every keystroke should help make things better. This is just one example of how 1Password might mitigate some of the concern from this kind of script.

    Moreover, when it comes to password exfiltration, the advice and perspective that Jeffrey gave applies. 1Password makes it possible for you to use strong, unique passwords for all your sites. In this way, 1Password helps limit any potential fallout from these kinds of exfiltrations to the one site where you use that password. (If you're not sure if your passwords are all unique, be sure to check out the security audit feature of 1Password.)

    So, taken as a whole, using 1Password shouldn't make things worse with regard to this kind of session replay recording issue and it may indeed help the sanitizers do a better job and also limit the damage such an exfiltration of a password might cause. But, in the end, I think a reckoning is coming over these trackers and analytics packages and this willingness to willy-nilly include third-party code into web pages. Right now, between ad networks selling code execution to the highest bidder (often resulting in malware before the ads can be flagged and removed, a practice known as malvertising), advertising companies like Google, Facebook, and Twitter tracking users all over the web, and companies trying to leverage "big data" (whether they actually know what that means and why they would want it or were just hoodwinked by a salesperson for their analytics package) to understand their customers more so they can sell to them more efficiently, the web is a very hostile place where the user is beset on all sides by actors that cannot be trusted to have their best interests in mind. This is one of the many reasons that people use ad blockers, not just to avoid seeing ads but to protect themselves from these kinds of tracking scripts and other malicious code running in an inherently untrustworthy environment.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas


    1. My phrasing here is deliberate in order to highlight the bizarre nature of the web as an environment for executing code. We don't tolerate this for native applications on our machines but on the web, we (as a digital society) tend to run with scissors… :frown: ↩︎

    2. While it is regarding a different issue, our own @jpgoldberg wrote a lovely blog post that helped me codify this perspective: https://blog.agilebits.com/2017/12/30/1password-keeps-you-safe-by-keeping-you-in-the-loop/ ;↩︎

  • Thank you for your answer. I live in the Netherlands, so I have no idea what Bonobo's (history) is with credit cards and I didn't see anything useful on the first page I googled about it. I don't even own a credit card. I understand they are very common in the US, but in Europe we use bank cards and PIN-codes to verify a person's bank transaction, in real time. Online we use a system that basically sends you to the bank's secure website at them moment you want to pay. You confirm the payment by loggin in and using a TAN code from a paper list, live SMS, or an app as a second check. The TAN-code is disposable. What I'm trying to say is: This is a very different situation because you never give your bank login to a 'strange' site. Just your bank. Now I think of it, PayPal is doing something quite similar, except for the TAN-code.

    As for tolerating it as a digitally society. That's mostly because users don't have a clue what's going on. It's like we 'tolerate' relatively high levels of mercury in salmon, NOx and particle matter. It's not so much that we tolerate it, it's that we can't see, feel, tast, smell it, so most of u have no clue that it's there in the first place.

    That's why apps like 1PW play a big role in guarding the hidden area of or computers. Not that AgileBits asks for such responsibilities, but they more or less come with the trade and that's why we, users, ask a lot of hard questions ;)

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    I understand and am sometimes envious of the more advanced banking structures in Europe! While Bonobos is just one example cited in the article, the fact is that many sites use a relatively small number of these tracking scripts. And while you might not use a credit card, other types of information are included in those exfiltrations such as usernames and passwords, which is why I made sure to bring those up.

    When it comes to "tolerating" this environment, I think we have to distinguish between the users of these sites and the companies that build them. Users cannot really be blamed and I didn't mean to give that impression. But, when it comes to development decisions, the web foists upon developers decisions that are easy to get wrong or to not foresee the consequences of. Contrast the state of the web where it is routine to drop in a single line of code on a web page that allows another company to execute arbitrary code on your site with the practice of including 3rd party code in a signed binary application. And systems such as iOS do not allow you to download and execute code that wasn't part of the original package. (This is why things like Pythonista and other programming tools took so long to find their footing!) It's a bizarre world where we (willingly? I'm not even sure…) suspend our disbelief and create these sorts of situations. I think if the tech community were to build a new world wide web knowing what we now know, it would look much different to what Tim Berners-Lee created when there were just a handful of web pages on the internet and Javascript had not yet been invented.

    Finally, you're absolutely right to ask these challenging questions. 1Password users have placed a lot of faith not just in 1Password as a tool but in the expertise of the company to make recommendations and provide reasonable, measured analysis of these kinds of concerns. It's an honor to carry that kind of trust and big responsibility to live up to. :chuffed:

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • edited January 2018

    Contrast the state of the web where it is routine to drop in a single line of code on a web page that allows another company to execute arbitrary code on your site with the practice of including 3rd party code in a signed binary application. And systems such as iOS do not allow you to download and execute code that wasn't part of the original package.

    I couldn't agree more. I'm certain this will sooner or later cause a 'shake out' – if it's not already happening – after which users (both citizens and corporate on one side and developing companies on the other) will finally see that a basic level of build-in, bottom-up security is key.

    Same with

    I think if the tech community were to build a new world wide web knowing what we now know, it would look much different to what Tim Berners-Lee created when there were just a handful of web pages on the internet and Javascript had not yet been invented.

    About 20 years ago, when I got more and more involved in webdesign, Flash, some server side communication from Flash scripting etcetera, I learned how little security there was build in the protocols. Basically, nothing and basically nothing much has changed. Even server certificates are 'all the same' to 99,99% of the people. It's sad really.

    But again; Usually, first there has to be a personal 'disaster' like losing the family pictures before a backup drive is bought and taken seriously. I guess the same counts for the internet.

    About the European system. I can't take any credit for that obviously, but I feel uncomfortable when I use a credit card. That's why I stopped using it. I once took it, in the late nineties, just because it was the only way to pay for a American computer magazine subscription.

    The other way around: I'm still surprised how the system of credit cards can still be usable. I mean.. there is not even a password! There must be quite a few dollars lost with fraud here and there. I guess the banks still made plenty money to compensate for it. Or am I missing something here?

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    The credit card system isn't perfect by any means, but it is much improved in the wake of the Target breach and others like it. The US is largely moved to chip cards (but using chip and signature rather than chip and pin like Canada and others…) and liabilities have been shifted for swipe card payments from banks to vendors. And while it's not as fast as I would like, Apple Pay is starting to be accepted at more and more places. These kinds of things are very large ships that turn very slowly, but I think we're lumbering in the right direction.

  • A point of 'our' system (what do you call it, swipe cards? The Dutch call it PIN-cards) that could be made safer is that once an incorrect transaction is made, it is impossible to correct (except by the receiver, by paying it back).

    Of course, you don't want people retracting payments willy-nilly, but this gives scammers some room. The credit card companies usually act as a 'third account'. As safety: I you pay but don't receive the goods, they can give you your money back. This can be done without an expensive insurance, just by delaying the payment for a while.

    This is an option I would like to see in our system too. 'Marktplaats' – the Dutch eBay if I may call it that – has just started offering the 'third account' service as a service to customers. It was about time they did since scammers took advantage of the situation.

    Apple Pay.. I guess people have their reservations to giving even more data to Apple and such, but on the other hand I welcome competitors for banking services. I'm surprised Facebook and Google aren't on the same wagon yet.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni
    edited January 2018

    It's worth a read of how Apple Pay functions, particularly when adding your card initially. If you're really into this stuff, you might be interested in Ivan Krstić's 2016 talk at Blackhat. He's the lead security engineer for Apple and goes into great detail about how things like the Secure Enclave Processor works, how it works with sensors like Touch ID (and one could infer that Face ID falls under this when he talks about "alternative authentication") and the Secure Element where your Apple Pay information is stored. So, yes, I do have to trust Apple to handle my credit card information when I set up Apple Pay, but this is much less permanent and persistent than what I already store with them for paying my iCloud and iTunes purchases, so I feel pretty good about that. :chuffed:

  • I hope Apple comes with a version that we can use without the obligatory credit card, or I'm afraid it will not become very popular any time soon in Europe. I think they know that and therefore are not in a hurry to offer Apple Pay in for example the Netherlands.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    From talking to my friends in Europe (mostly England and Scotland), I hear Apple Pay is very popular. Basically, anywhere that accepts tap/contactless payments will work with Apple Pay. My understanding is that even debit/bank cards can be added to Apple Pay, but it looks like Apple Pay hasn't made it to the Netherlands yet: https://support.apple.com/en-us/HT206637

  • I guess I can only speak for the Netherlands. No, Apple Pay is not yet possible here, not via a Dutch bank anyway. I expect it to though. 'Contactloos' aka contactless paying is steadily gaining ground in Holland already BTW.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    :+1:

  • I was still thinking about this and talked about it with some others. We think the UK is the exception in terms of credit card popularity. This graphic about the number of cc transactions in Europe supports that thought. Sorry to be so stubborn ;)

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    Yah, each locale is different. I think this has taken us pretty far afield of talking about the session replay scripts. :blush: What I think we can agree on is that these sites shouldn't be making whatever information you use there vulnerable to exfiltration.

  • edited January 2018

    LOL. I revisited the link and noticed it's behind a pay-wall now, but the top bar is (not England but) the UK and 4 to 5 times as long as the second (Netherlands) and the rest is even significantly less. Basically, (not England but) the UK is an exception. For you the UK may be part of Europe, but they see that a little differently ;) They've been talking about 'the continent' long before #brexit .

    edit: Here's a picture

    These are absolute numbers so it's to be expected that the UK has more payments than the Netherlands because there are far less Dutch, but with credit cards being the popular means of payment, you'd expect large countries like France and Germany to be in the top 3 etc.

  • brentybrenty

    Team Member

    Well, like it or not, they're in the EU yet, as far as I know. Maybe "East America" would be more appropriate, given the history and credit card usage. :lol:

  • Being Dutch I hate to say it ;) but, since the British Empire at once time or another, shortly after 'discovering' the New World occupied Canada, the east 1/3rd of what is now the USA, 1/3 of Africa including most of the Gulf states, not to mention India, Australia and New Zealand as wel as half Antartica – basically half the known world at that time – and given the tradition of giving names of 'the home country' to discovered or conquered places, it would be more in the line of expectations that other continents would be named after British home locations. That's why there is a New England in the US, but no New Canada in Europe.

  • brentybrenty

    Team Member

    Yep, that was the joke. Not a very good one, I'm afraid, but I tried! ;) :+1:

  • edited January 2018

    Ah.. I'm sorry I didn't get it :(

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    Humor obviously doesn't always translate well—no worries! :blush:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file