Password Manager Injection Attacks

JAC3467
JAC3467
Community Member
in Lounge

Yesterday I was listening to Steve Gibson's Security Now podcast, and one of the day's topics was password managers and specifically what was described as injection attacks. You can read the content here starting on page 13:

https://www.grc.com/sn/SN-992-Notes.pdf

Password managers are a semi-regular topic on Gibson's podcast, and he in fact went into great detail on the LastPass breach. 1Password is a sponsor of his podcast as is BitWarden. As the notes describe, researcher brought attention to two papers that dug into password manager vulnerability via injection attacks. They looked at 10 password managers, 1Password being one of them.

There were three vulnerabilities described:

  1. "The first class of attacks, which the researchers refer to as “Vault-Health Logging” rely upon the newer features of application-wide metrics. "
  2. "The second class of attacks is “URL icon fetching."
  3. "The third and final class of attacks only affects KeePassXC (among the top ten password
    managers tested). This arises from KeePassXC’s storage file system. "

Regarding attack 1, my concern is on 1Password's Watchtower. For attack 2, based on the podcast, I have disabled website icons in my settings. And attack 3 is not an issue, or is it? 1Password has a local vault that enables offline use.

Gibson indicated all the password managers were contacted with the research findings prior to publication, so I assume this is known to 1Password. And with that I'd like 1Password to comment.

Folks digging into the details like this is nothing but a good thing as uncovering weaknesses benefits us all.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments