puzzling statement in "Managing 1Password secrets in memory"
In https://discussions.agilebits.com/discussion/comment/494637/#Comment_494637 it appeared to be established with @brenty that the combination of a crash, memory dump, and telemetry could export master password, secret key, and vault contents in plain text in the absence of malware.
In view of that, it was puzzling to see paragraph 2 in the official AgileBits statement on the issue at https://support.1password.com/kb/201902a/
The most important thing to know is that the issue described in the report is only a threat to a computer that is already compromised. If your computer is not compromised, you aren’t affected by the issue.
Were we incorrect in our joint understanding that a crash and memory dump could expose secrets in the absence of malware? Or did the official statement inadvertently assert something that isn't quite right?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@brenty :
Your knowledge base article specifically stated “if your computer is not compromised, you aren’t affected by the issue”.This knowledge base article was written in response to the ISE research paper issues found in your product. The ISE research paper specifically stated your system does not have to be compromised for you to be at risk.
They said “secrets may be extracted in a non-running state as a by-product of system activity and/or crash/debug log files.”
Your knowledge base article is very misleading to your customers. Why ?
0 -
@ski22: What is the risk, if the machine is not compromised? As far as I can tell, the ISE paper indicates that the issue exists even if the machine is not compromised. We're not disputing that. But it is important to note that without the machine being compromised, there is no actual threat.
What's misleading is telling people that they are under attack when they are not; and without the machine being compromised, they are not.
0 -
@brenty : so you consider a crash/debug log that could be transmitted back to the developer of a software product a compromised system ? Something specially stated in the research paper.
Shouldn’t your customers be aware of this issue and be prepared to not allow a crash/debug log to be transmitted ? How is that a compromised system ?
0 -
@ski22: That sounds like malware to me: something sending secrets without your knowledge or consent. "Best" case scenario, that would be a huge bug. And I think that characterization would be generous for what you're suggesting.
The point is, 1Password doesn't do that. We don't have control over what other people's software does. And software that does bad ("Mal, from the Latin") things is the definition of malware.
0 -
It doesn’t have to be malware. It could be any trustworthy driver or software product that crashes and sends back a crash/debug log to help the developers. That’s not a compromised system, nor is it malware.
0 -
It's not trustworthy if it's sucking up memory allocated to other apps. How is an attacker going to collect the data, and retrieve it, without having malware running on your machine? Hence, the system would need to be compromised, which is why the knowledgebase article takes care to clarify that. Otherwise people can -- and do -- get the impression that somehow their secrets can be stolen just by virtue of using 1Password or one of the others in the report, and that's simply not the case. I don't see the benefit to 1Password users to be misled to believe otherwise.
0 -
Do you consider Nvidia drivers malware ?
Here is what they state:
0 -
Collecting a full system memory dump to troubleshoot a graphics issue is asinine. If the software is capturing and sending all of that without informed consent from the user, I would characterize it as malware. It doesn't look like that's what's happening though, but rather that a user might do that. I wouldn't recommend it, whether you use a password manager or not.
At the end of the day, listing all of the possible permutations of bad things untrustworthy software could potentially do if you allow it to run on your machine is well outside of the scope of 1Password itself and therefore the document in question, which is about 1Password. We're not in a position to document every issue with any software out there, just 1Password. If you're an Nvidia customer and disagree with the way they're doing things (I don't have all the context, as I'm not using their tools), you'd need to get in touch with them.
0 -
The fact remains, telling your customers ONLY a compromised system is at risk of this memory issue is very misleading and plain wrong. I’m sure Nvdia isn’t the only trustworthy company getting full system dumps on crashes.
Your customers concerned about this memory issue should be warned not to allow full system dumps to be sent. Full stop.
0 -
More information about full systems dumps and how trustworthy developers might request them. I doubt your customers know how this puts the customer at great risk because the complete password database including the unlock passcode is in plain text in memory. Even in a lock state.
https://www.howtogeek.com/196672/windows-memory-dumps-what-exactly-are-they-for/
0 -
Again, that isn't something that is going to happen spontaneously, and it doesn't apply specifically to 1Password users. No one should send information like that to a third party blindly.
As I said already,
How is an attacker going to collect the data, and retrieve it, without having malware running on your machine?
I'm sure you can think of all sorts of other creative scenarios in which you'd do a memory dump, but the fact remains that an attacker would need to have some way to capture that and exfiltrate it from your system. If you have reason to believe that you're in that kind of situation, it's important that you not access sensitive information and get help disinfecting.
0 -
So Nvidia and other trustworthy developers needing a full system dump for crash analysis are attackers?
Telling your customers “only” compromised systems are at risk of 1Password’s flaw of leaving ALL your passwords in memory in plain text (even in a lock state) is a big disservice to your customers in my opinion.
Your customers don’t realize the huge risk of providing memory dumps to trustworthy developers. They don’t realize 1Password’s flaw of the complete 1Password database and 1Password unlock passcode in plain txt in that dump.
0 -
Only compromised systems are at risk from attackers. But we cannot stop you from sending anything to another party yourself. That's you collecting and sending the data. That is not an "attack" scenario. I'm sure you know that, but if not we're going to just have to agree to disagree at this point I think.
0 -
Sending a full memory dump to any developer is incredibly risky. Even if your 1password secrets aren't in there things like your google session secrets probably are.
Maybe 1Password could add a warning that you should reboot before collecting and sending a full memory dump to anyone, but I really don't think this a common occurrence.
0 -
@bhk asked
Were we incorrect in our joint understanding that a crash and memory dump could expose secrets in the absence of malware?
Default Windows settings (as far as I see, though this might differ in many ways) sets the default Kernel Dump Mode to Automatic Memory Dump. It is a variety of Kernel Memory Dump which according to the documentation says
This dump file will not include unallocated memory, or any memory allocated to user-mode applications.
1Password for Windows also opts out of Windows Error Reporting. This should also reduce the likelihood of 1Password memory appearing in such a dump and definitely prevent 1Password memory contents being transmitted.
I don't want to make excessively strong claims about the protections that those offer; but at the same time, I would like to ask you all to test and report whether a system crash is writing 1Password memory to disk. (It might be interesting to contrast what happens when the system crash is induced when 1Password is locked versus unlocked.)
0 -
This content has been removed.
-
This content has been removed.