Secuvera findings
Hi there,
will you improve the security of your product after the secuvera‘s findings?
Yes, secrets need to be accessible to the processor, but findings say, the secrets of 1P stay there even after actions where customers would assume that secrets are deleted.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
In a recent investigation, security experts from secuvera GmbH have identified a serious vulnerability in various security-relevant applications such as OpenVPN, Bitwarden and 1Password. It leads to confidential information such as passwords or login information remaining in plain text in the process memory even after users have logged out, making it easily accessible to potential attackers. This vulnerability is classified as CWE-316: Cleartext Storage of Sensitive Information in Memory. See: https://www.heise.de/en/news/Serious-flaw-in-critical-applications-Plaintext-passwords-in-process-memory-9830799.html
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided0 -
Hello 1Password Team,
today I came across a report by secuvera which highlights a vulnerability in 1Password, classified as CWE-316. According to their findings, certain sensitive information, such as the SecretID, remains in memory even after the application is closed, which could potentially expose this data to unauthorized access.
Could you please provide more details on how 1Password classifies this vulnerability? Is there any ongoing work to address this issue, or are there recommended steps we as users can take to mitigate this risk on our systems?
Best regards,
miggl81Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided1 -
Mmmh,
as ever emphasized by this company: 1password is very security aware.
That doesn‘t fit not reacting to a security flaw. Not a word here….
0 -
The German Federal Office for Information Security (BSI) has issued a warning today via its weekly newsletter, in which 1Password is also being misused.
Who can simply explain what the problem is here, how serious the problem is and if the problem is already fixed at 1PW?
Thank you(the folowing text is a DeepL translation of the german text an the End.)
Alert!
VPN clients and password managers affected: Plain text password in process memory
Due to a vulnerability in VPN clients and password managers, among others, confidential data remains in the process memory even after logging off and can be read.Comments l
12.08.2024, 06:02 a.m.
Reading time: 2 min.
iX Magazine
By
Ute Roos
In a recent investigation, security experts from secuvera GmbH have identified a serious vulnerability in various security-relevant applications such as VPN software and password managers. It leads to confidential information such as passwords or login information remaining in plain text in the process memory even after users have logged out, making it easily accessible to potential attackers. This vulnerability is classified as CWE-316: Cleartext Storage of Sensitive Information in Memory.Malware on a computer is usually able to read the memory of other processes and utilise the data. Data such as passwords and other confidential information that is stored unencrypted in the memory of a programme after the login process is therefore problematic. For the study, the experts tested various applications under realistic conditions, including VPN clients and password managers that were explicitly developed to protect such user information.
At least make the attack more difficult
There is no simple solution to this inherent problem. However, some workarounds can at least make it more difficult for attackers to access the data. As the data is decrypted and loaded into the main memory in plain text at the time the program is used, even if strict guidelines for data encryption are observed, the aim should be to minimise the time window for a potential attack. Application developers should ensure that the data is deleted from memory or at least securely overwritten as soon as it is no longer needed or the user closes the application or logs out.
The programmes tested included OpenVPN, CyberGhost VPN, Mullvad, 1Password and BitWarden. In many of the programmes tested, the confidential data was still found in the process memory even after the user had logged out - even master passwords from password managers. secuvera lists all kinds of access data as information found: from email addresses and account IDs to passwords and 2FA codes, although they do not differentiate according to importance in the report. The reactions of the manufacturers, who were informed immediately, were varied: while some manufacturers, such as CyberGhost VPN, recognised the vulnerabilities and have already released security updates, other manufacturers have so far remained inactive or refused to fix the vulnerabilities. One provider even forbade the publication of its name and the results. Further details on the investigation can be found in a blog article on the secuvera website
UPDATE
12/08/2024, 09:41 am
Product names in the first paragraph removed and the type of information found specified in more detail at the end.Orginal:
Alert!
VPN-Clients und Passwortmanager betroffen: Klartextpasswort im Prozessspeicher
Wegen einer Lücke unter anderem in VPN-Clients und Passwortmanagern bleiben vertrauliche Daten auch nach Abmeldung im Prozess-Speicher und sind auslesbar.Kommentare l
12.08.2024, 06:02 Uhr
Lesezeit: 2 Min.
iX Magazin
Von
Ute Roos
In einer aktuellen Untersuchung haben Sicherheitsexperten der secuvera GmbH eine schwerwiegende Schwachstelle in verschiedenen sicherheitsrelevanten Anwendungen wie VPN-Software und Passwortmanagern identifiziert. Sie führt dazu, dass vertrauliche Informationen wie Passwörter oder Anmeldeinformationen auch nach dem Abmelden von Benutzern weiterhin im Klartext im Prozessspeicher verbleiben und somit für potentielle Angreifer leicht zugänglich sind. Diese Schwachstelle ist klassifiziert als CWE-316: Cleartext Storage of Sensitive Information in Memory.Malware auf einem Rechner ist meistens in der Lage, den Speicher anderer Prozesse zu lesen und die Daten zu nutzen. Problematisch sind daher Daten wie Passwörter und andere vertrauliche Informationen, die nach dem Anmeldeprozess unverschlüsselt im Speicher eines Programms abgelegt sind. Für die Studie testeten die Experten unter realistischen Bedingungen verschiedene Anwendungen, darunter VPN-Clients und Passwortmanager, die explizit für den Schutz solcher Benutzerinformationen entwickelt wurden.
Angriff zumindest erschwerenFür dieses prinzipbedingte Problem gibt es keine einfache Lösung. Einige Workarounds können es Angreifern aber zumindest schwerer machen, an die Daten zu gelangen. Da auch bei der Beachtung strenger Richtlinien für die Datenverschlüsselung die Daten zum Zeitpunkt der Programmnutzung entschlüsselt und im Klartext in den Hauptspeicher geladen werden, sollte das Ziel sein, das Zeitfenster für einen potenziellen Angriff zu minimieren. Anwendungsentwickler müssten dafür sorgen, dass die Daten aus dem Speicher gelöscht oder zumindest sicher überschrieben werden, sobald sie nicht mehr benötigt werden oder der Benutzer die Anwendung schließt oder sich abmeldet.
Zu den getesteten Programmen gehörten unter anderem OpenVPN, CyberGhost VPN, Mullvad, 1Password und BitWarden. In vielen der getesteten Programme wurden die vertraulichen Daten auch nach dem Abmelden durch die Benutzer noch im Prozessspeicher gefunden – sogar Masterpasswörter von Passwortmanagern. Als gefundene Informationen führt secuvera alle möglichen Zugangsdaten auf: von E-Mail-Adressen und AccountIDs bis hin zu Passwörtern und 2FA-Codes, wobei sie im Bericht nicht nach Wichtigkeit unterscheiden. Die Reaktionen der Hersteller, die unverzüglich informiert wurden, waren unterschiedlich: Während einige Hersteller, wie CyberGhost VPN, die Schwachstellen anerkannt und bereits Sicherheitsupdates veröffentlicht haben, blieben andere Hersteller bisher untätig oder lehnten es ab, die Schwachstellen zu beheben. Ein Anbieter verbot gar die Veröffentlichung seines Namens und der Ergebnisse. Weitere Details zur Untersuchung sind einem Blogartikel auf der Webseite von secuvera zu entnehmen
UPDATE
12.08.2024, 09:41 Uhr
Produktnamen im ersten Absatz entfernt und am Ende die Art der gefundenen Informationen genauer spezifiziert.1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided0 -
Hello everyone,
The reported issue is classified as a “local attack,” which means a malicious actor would need to first gain access to an end user’s computer. Once a malicious actor has complete control over your device, the software on that device is vulnerable to local attacks. Using any software on a device you cannot trust is inherently risky, and we recommend ensuring you are running updated software on well-secured endpoints that you trust.
A quick refresher on how 1Password’s security model works:
- Your 1Password account password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your account password, which only you know.
- Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.
The researchers did not recover the 1Password account password from memory. In this case, researchers obtained the Secret Key, and only the Secret Key, from a device's local memory which isn’t sufficient to decrypt the data stored in 1Password since it remains protected using your account password.
Even if an attacker with control of your local device was prevented from recovering the Secret Key from memory, they would still be able to recover the Secret Key from other locations on disk. For example, from the browser's local storage if you’re using 1Password in the browser, or in OS-managed keychains.
In our security design whitepaper (pg. 82) and in our blog, we outline the limitations of protection against these local attacks where a malicious actor has control of your devices. 1Password will continue to work on increasing these protections where possible.
-Dave
1 -
Thank you for commenting.
0 -
Thank you for the questions. 🙂
-Dave
0
