1Password sends your password in clear text across the loopback interface

[Disclosure: I work for AgileBits, the makers of 1Password]<p>We&#x27;ve talked about this several times, most recently was in June. Please see <a href="https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-process-communication-discussion&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-proces...</a><p>This falls into the question of what can we do to prevent attacks from malicious processes running on the user&#x27;s machine. For the most part, we do try to defend against something where we can. For example, we take steps to make key logging a little more difficult.<p>In this case, the steps (other than mere obfuscation) that would be necessary to properly encrypt that channel would require that the user be confronted with a &quot;pairing&quot; request and prompt almost every time they restart their browser.<p>Again, it would be easy to obfuscate this communication, say by using wss; but the private key for that server would still need to be stored en clare on the computer.<p>There are other approaches as well, but all have unpleasant side effects that risk user data in other ways.

By no means an expert but is this even exploitable if the machine is not already otherwise compromised? Loopback is used for communication between two network applications on the same machine but it doesn&#x27;t actually use the network device. Of course you&#x27;ll be able to see it listening on your own computer but an outside computer can&#x27;t sniff something that doesn&#x27;t actually get transmitted over the network.<p>Also in order to populate the password&#x2F;credit card fields at some point doesn&#x27;t the information need to be decrypted? I&#x27;d be more concerned if 1Password was storing the keys to decrypt passwords in a browser plugin as that is a way easier attack vector

Serious question: Why is this a bad thing, and how would you do it differently?<p>You need the password to be &quot;plaintext&quot; in the input field in the browser, so how do you get it there?<p>Give the extension access to your private keys and master password to do decryption there? Is the browser a safer environment than an app on your machine?

At least on OSX 10.11 (not sure about others), you can&#x27;t sniff loopback as a normal user.<p>So, if you could sniff this, you&#x27;d have elevated privs anyway, which means you could read the keyboard device, memory, etc.<p>Not ideal, but not sure it&#x27;s a glaring hole. IMHO. I&#x27;d love to hear other thoughts on how to exploit this &#x2F; how I&#x27;m underestimating this hole.

<a href="https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-process-communication-discussion&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-proces...</a>

Encrypted or not, if 1Password is sending passwords to the browser extension, that means its keychain is unlocked and malware, should it really want to grab data out of the keychain, could just request it from the 1Password helper itself. No need to passively sniff for passwords.<p>I don&#x27;t really see what the vulnerability is here.

In february 2015 I had contact with agilebits at support@agilebits.com and they answered me within a day. Seriously, you claim you tried to reach them, but I have a hard time believing that. What is &#x27;not too long ago&#x27;?

I&#x27;m not sure what the implications are. What has access to that information? Is it public to all services on the machine?<p>Either way, I don&#x27;t think this is 100% responsible disclosure.

I believe this is the same issue that AgileBits has been aware of for some time. <a href="https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-process-communication-discussion&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-proces...</a>

I&#x27;m trying to understand when this can be a problem. I guess if you are sharing a VPN &#x2F; socks proxy with multiple people? And then they are sniffing the loopback and catch your plaintext? Or something?

Do other browser extensions have the ability to look at this data? Could a malicious extension have the necessary permissions to read the loopback interface data? Seems like if the 1Password extension has access, I&#x27;m not sure what would prevent others from exploiting that access as-well.

I mucked with this a while back. You can dump all your passwords over the websocket pretty easily (provided your 1password is unlocked):<p><a href="https:&#x2F;&#x2F;gist.github.com&#x2F;joevennix&#x2F;438782cbe447e86f2506" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;joevennix&#x2F;438782cbe447e86f2506</a><p>It would be more interesting if an arbitrary website could do this, but they prevent that attack by checking the Origin header on the initial websocket request.

I&#x27;m very skeptical of any attempts to secure already compromised machine. It&#x27;s just unnecessary complications for user, bloat for software and determined attacker is likely to overcome them anyway.

So how vulnerable is loopback on a machine in general? This is almost certainly not a best practice, but I can&#x27;t help but wonder how practically exploitable this is.

Is this post about the 1Password browser extension communicating to the Mac app?<p>I&#x27;d like to understand better to know whether it a similar issue affects LastPass. Though at least with LastPass we&#x27;re able to use the browser extension without having the native app. I don&#x27;t think that&#x27;s possible with 1Password for Mac.

So what?

The SASL authentication protocol sends cleartext passwords across a local UNIX domain socket. That&#x27;s very similar: local IPC.<p>I use this in a web service to authenticate users. The form containing the password is submitted over HTTPS. The CGI script opens the socket, and sends it to saslauthd, which replies OK or not.

What&#x27;s wrong with that?

On a quick look this seems to be the same as the vuln discussed in <a href="http:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;1505.06836" rel="nofollow">http:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;1505.06836</a>.<p>1Password responded in a blog post here <a href="https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-process-communication-discussion&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2015&#x2F;06&#x2F;17&#x2F;1password-inter-proces...</a>

If you can&#x27;t trust your system, there is no point in encryption. There is an innumerable number of ways an attacker can get your password if you assume the attacker has system privileges.<p>If you have loopback sniffing privileges, you could just also ReadProcessMemory the password right out of 1passwords memory.

For the record, as it&#x27;s been asked in the blog post: Enpass uses loopback as well, but encrypts or decodes (obfuscates?) the data somehow. I looked into decoding the data, but I wasn’t able to do it (just tried for half an hour).

General question: why is it so common to use loopback, vs unix domain sockets? I haven&#x27;t seen the latter used outside of mail infrastructure, and they seem slightly more secure to me regarding who can connect to them.

On a side note I find 1Password Mini makes the browser extensions irrelevant. I think the extra steps that Mini requires are not a big deal, and you get a smaller surface area.

If someone is observing your loopback isn&#x27;t it just as likely they&#x27;re keylogging and have your 1Password master keyphrase?

This is stupid.

Seems bad!

While we&#x27;re talking about 1Password: Why do they obscure the text editing area while I&#x27;m typing, but then de-obscure it when I&#x27;m done typing? The text I typed is visible when I&#x27;m done typing.

Wow, the communication should be encrypted.

That is obviously sloppy work on the part of the developers. And bad. But anyone that can snoop on loopback already owns the machine and he could just cheat engine the passwords from the browser ram.<p>So it is not making safe situation bad, but bad situation worse. Of course with Blizzard Warden, Steam anti cheat, driver level firewalls and all the other little helpers that collect information about your system - this could lead to a leak to some entity&#x27;s logs in the cloud.