To protect your privacy: email us with billing or account questions instead of posting here.

How is 1Password online protected against stolen browser session token?

johnnygoodface
johnnygoodface
Community Member
edited March 2023 in Memberships

On Safari (Ventura), the first time you log into 1Password online, it will ask for the 2FA authentication (for example: a security key). If you logoff and log back in, 1Password won't ask for the 2FA for a while, because it's saved a session token locally on the Mac on the first login session.

Now, after what just happened to Linus Tech Tips (they got hacked by executing an email attachement, which in turn accessed their locally saved passwords, cookies and thus including their session tokens), I'm afraid that something like that could happen to us (nobody is fully protected against email attachments/malware) and therefore the hacker could get access to our 1Password account online just by using our browser saved session token, therefore bypassing all securities.

How is 1Password online protected against such attack vector?


1Password Version: 1Password for Mac 8.10.4 (81004004)
Extension Version: 2.8.1
OS Version: Ventura 13.2.1
Browser:_ Safari

Comments

  • looms
    looms
    Community Member

    I have this question also

  • johnnygoodface
    johnnygoodface
    Community Member

    No reply?

  • Hey there everyone,

    I'm with the security team here at 1Password and hopefully I can clear up your concerns. The short answer is no: we don't use session tokens in the same way other web apps do, and this type of malware can't steal your 1Password sessions. Its important to call out here though that active malware on your system is pretty problematic as it could do almost anything, including trying to phish your 1Password credentials later on and get a session for itself.

    Diving right into the question @johnnygoodface asked: 1Password is not vulnerable to the same style of session theft attacks. Let's go ahead and dig into why. I'll also preface this a heads up that I won't be talking too much about 2FA specifically. 1Password can only truly depend on 2FA the first time you sign-in to a device or application because there's no existing data stored locally. After the 1Password server has returned it, offline access might be possible depending what application you're using (1Password for the Web does not store cached data offline today, but 1Password for Mac and other clients do). We wrote about what 2FA does for a 1Password account here on our blog if you'd like to dive more into some specific scenarios.

    In general though, its good to keep in mind that your password is what protects your data after signing in somewhere for the first time.

    Now, lets jump into the session restoration specifically. In a traditional web application (one that only uses authentication), the app converts your credentials into a session token for user convenience, and considers it valid for a period of time. I also watched Linus' video and he did a good job covering this. In 1Password however, your account password and secret key (depending on your account type) are mixed and processed with SRP. That last link is another blog entry if you're curious, but at a high level it involves the 1Password server and client generating one-time keypairs, and then mixing them with specific values. The client utilizes your account credentials and the server utilizes a "verifier" that the client gave it when you first created your 1Password account (or changed your credentials). The end result of this is a one-time encryption key.

    With the encryption key derived by the server and app, you're now able to securely communicate with 1Password.com, including downloading your encrypted vaults and items. Now comes the important part: All 1Password apps only store this key "in-memory." This means that it never leaves the browser tab process when using 1Password in your browser, and therefore isn't stored on disk like a traditional session token. When you refresh the page or manually sign-out, the session key is erased. Once its gone, your app or browser no longer has the ability to talk to 1Password's servers, or authenticate as you. This is with the exception that this gets complicated with accounts which unlock with SSO.

    Finally, let's step through a hypothetical attack similar to what LinusMediaGroup experienced: Lets say that you're using a 1Password for Teams account and not using SSO. You go to 1Password in the browser, move some items around, and then go to another tab. A few minutes later, you open your email client and download a suspicious attachment by mistake. Let's say that 1Password in your unfocused tab has automatically locked now (malware attacking other processes, like your browser, is a complicated topic so I'm skipping that kind of attack for now). After opening the attachment, malware in it steals your browser's local storage. You're still in a tricky situation because there are plenty of services that store session tokens, but since 1Password didn't anything there your account won't be instantly vulnerable. If that happened, it would be good to change your secret key on a different device though!

    Hopefully that clears up your concerns about account theft, but if not I'm happy to answer any followup questions you still have, or came up with after reading more about how we do session management.

  • J_O_D
    J_O_D
    Community Member

    Everytime I read an explanation like this, it ensures me once again that my digital security is in the best hands. I just cannot express my gratitude enough.

  • Thanks so much for the kind words, @J_O_D. I've shared them with Christian. 🤗

    Ben

  • johnnygoodface
    johnnygoodface
    Community Member

    @ag_Christian Thank you very much for explaining in such details. From what I can understand, I feel very well protected, and clearly you've already address the possible issue of my initial question, and more. It's just that there's soooooo much personal stuff in 1Password that I can't even imagine what would be the impact of having all of it stolen, but I see you guys are very serious about the security in your app, and that's soothing!

  • @johnnygoodface, thank you for the kind words as well - I'll be sure to pass them on to Christan also! 🙂
    If you'd like a bit more information, our security is very open to make sure everyone knows what we're doing behind the scenes, we wrote a White Paper and published it on our website.

This discussion has been closed.