Unless I misunderstood, the attacker already needs to have access to your machine. If that’s the case, you have much bigger problems.
Yeah, it sounds like the first exploit required your vault to be unlocked so that a malicious process pretending to be a legitimate integration like a browser plugin could request credentials, and the second one required installing an out of date version of the app.
Good that it is all patched, and that it wasn’t a remotely exploitable issue.
Yeah, it sounds like the first exploit required your vault to be unlocked
That barely fits the requirements to even be called a vulnerability.
“Sir, this safe lock is horribly insecure because all it takes for somebody to get access to the safe is to have the owner invite an intruder over to his house, unlock the safe, and the intruder can barge right in!”
I’m all for broadcasting vulnerabilities for services that deserve it. But, taking two of the thousand unrated CVEs that appear each year, slapping on a clickbait headline, and trying to scare people into not trusting password managers is a load of shit. The only reason this trash got upvoted is because this community has a massive hard-on for locally-controlled password stores, without acknowledging the negatives.
One thing to keep in mind about how these vaults work, is you often unlock them and then they stay unlocked for a short period of time, like 5 minutes. So if you do compromise a system and can detect when it is unlocked, you have a decent window to programmatically extract credentials.
That said, it requires that your system has already been completely owned, pretty much. At that point, it could potentially log keystrokes and clipboard, and get credentials, including your master password.
Right. If you have malware on your computer, you might as well assume that every part of the computer, and everything it can connect to, is compromised.
A good reminder to always set your password manager to auto-lock (with PIN for convenience) after 3-5 minutes. The PIN makes it easy to re-log, while not being bruteforceable (AFAIK after few failed attempts it reverts to password), and if someone would get to your PC, either physically or remotely, they won’t be able to get all your passwords.
One of the best jackpots I’ve ever found during Red Teaming engagements was when I RDPd to a server through pass-the-hash, only to find an unlocked password manager with passwords for most of the other servers, service and admin accounts.
Stop using “the cloud” to store your passwords. Unless you control said cloud, you have to trust someone to not fuck up their security that you now depend on. Everyone eventually does.
The difference is also, that someone who’s job is storing other people’s passwords is by definition a target. So is the fuck up, someone will notice. If you host those yourself, or you rent a place where you can host them for yourself, that is just one person’s server. The interest and possible gain for someone gaining access is so small, it’s even unlikely. So when you inevitably fuck it up, the chances someone notices before you do are relatively small.
That probably works well for people who are able to self host.
I use cloud password storage. I don’t have the knowledge, time, or inclination to self host.
In this context “self host” can ironically mean using a cloud service for hosting. You can use a file based password manager and just sync the database. Solutions like KeePass have apps for many platforms, and they can often even directly load from cloud storage, like Google drive, OneDrive or DropBox. The password database is strongly encrypted, and even if your storage gets compromised, your passwords are still safe (assuming a good password or some then better security was used to encrypt it).
You give up the convenience of having a single service and having to get each device to access the file. But that’s it. It’s not that hard and so much better than a password service, even if just for their attack surface, or the “likely target” these are.
Your comment is irrelevant to the issue at hand because it’s a local attack and your suggested alternative could therefore be just as vulnerable.
Self hosting is cool for 0.0001% of the population, for anyone else it’s either too difficult or a hassle. It’s also an oversimplification that I have to “trust” the cloud company and imply that a self hosted solution is inherently safe. You run that program on a computer with 100 different apps, each of which is an attack vector and you’re just you, without the backup of a small army of developers hunting down issues and independent parties auditing the whole shebang.
The only thing self hosting has going for it is that the target is incredibly small, but this is not as big a factor as you suggest because of the maturity of some of these services who basically just store a blob of data you encrypted locally and access to their servers or even your data is usually without danger.
Ah the Internet classic: calling someone’s comment irrelevant, when you clearly haven’t even read, or at least not understood it. It isn’t that long of a comment. Try reading it again.
Oh whatever, here’s another attempt at explaining it: there’s a huge difference if my passwords are in a place where people generally keep passwords, or if they are where only my passwords are. If someone has never heard of me, but they attack my cloud-password-solution and get in, they still get my passwords. Someone attacking me personally, if he’s truly competent as a hacker, in probably screwed either way. At least he can only attack me, he can’t attack “some public thing” and get my stuff “by accident”. Think “personal safe in my home” compared to “public bank” (ignoring the fact that a bank is insured and all that for this analogy).
Your second point would be valid if open source didn’t exist. First of all I didn’t imply that it was inherently safe, I implied that there isn’t a single point of trust, which was my would point. Even if you can’t read/audit it yourself, there are projects that have public audits by reputable security companies. Plus if there truly were backdoors, assuming a non-tiny user base, someone would’ve probably noticed.
Then your final point seems to acknowledge the attack surface, but the problem with the “locally encrypted blob” is that this statement from the cloud provider is another thing you just have to believe them on. They might do that, they might not. Many don’t even claim that, because people like convenience and want options for password recovery to their password service. those two are mutually exclusive.
I’m sure it’s a classic because people tend to latch on to any opportunity to start waffling after reading just the title. Ironically, you start your comment telling me I didn’t read yours and you end it with admitting that I address exactly that which you go on about. So which is it?
What bothers me most is that your solution is not realistic, you’re just proselytizing out of idealism but who is it really aimed at? Who’s going to self host a password manager? Uncle Jim and aunt Betty? You know what the average person is capable of? Writing down their passwords on a piece of paper, usually 4 separate ones with different versions for every time they’ve lost it. At best, they allow a key manager on their device to save a password when they enter it, and if the stars align and all their devices use the same OS and they authenticate, then maybe there is even some synchronization involved. That’s a lot of ands and maybes, but you suggest to ignore that and instead use a solution where they not only understand all those steps but also set it up for themselves.
The masses are not going to wake up one day with the know how to do these things, it’s not even going to happen gradually. I don’t even want to do it, and I was born with a computer and run servers for a living. What is going to happen is that solutions that are easy enough to use will become safe enough in order to minimize the risks. Anything else is a pipe dream.
With self hosting you have to trust that you won’t fuck up, that your house or wherever you are hosting won’t lose power when you need it, or burn down or face some other disaster. At the very least you should have an external location, which you also should trust pretty thoroughly.
Also that’s not to mention that open source projects still have security vulnerabilities sometimes, and also sometimes they get a lot less developer attention than profesional projects.
I love self hosting stuff and do a lot of my own computer backups etc. but the most important stuff I rely on professional cloud solutions for. I simply don’t have the resources to be able to compete.
And it is MacOS only… so. While yes this is very important - this is a very small target… Mac users who use 1Password
Doesn’t sound like it would be that small of a target?
I don’t know what the user distribution is like, but I imagine Mac users are a solid chunk of users for a “premium” password manager like this.
Perhaps, I am certain that it is a non zero number. But the majority of Apple users would use keychain (apples built in passwords management) first.
Shrug. Ymmv
It works on android too… And web browsers
Does nobody read the article? 1Password works on any platform but the attack is Mac only because it’s actually getting passwords from a Mac’s keychain through older versions of 1Password.