Security: Same-origin policy
I don't know if this has been posted before, I searched the forum for "vulnerability" but didn't find anything. I wasn't sure where to post it since there's not an extension section in this forum, so I figure the lounge will suffice.
The research was done by iSEC Partners and released on 11/13/13.
I will post the important part from the document here, but you can download the original whitepaper here or view it with Scribd here - see section 2.3 Subdomain Equivalence.
OneLastPass, LastPass, MaskMe and 1Password ignored subdomains when comparing origins. That means that a login form encountered on https://forum.example.com will still be treated as equivalent to a login form encountered on https://example.com/log_in — violating the same-origin policy. Subdomain equivalence is quite dangerous because some subdomains — such as user discussion forums, blogs, or mail subdomains — can often be manipulated by an attacker. For example, a forum that allows for HTML formatted comments could be exploited by an attacker to add a login form on a domain, and thus steal credentials from unsuspecting users. In addition, an application with multiple subdomains is likely to have weaker ones that could be vulnerable to Cross Site Scripting (XSS) attacks — and could effectively allow an attacker to retrieve credentials for the parent domain when the password is auto-filled on a fake login form.
I feel that this is a fairly important issue and should be addressed by the 1Password dev team.
Comments
-
The title may be more provocative than the reality. Please see Jeff’s reply on Quora: http://www.quora.com/Passwords/What-is-Agile-Softwares-response-to-the-paper-documenting-how-1Password-and-othe-password-managers-leak-passwords/answer/Jeffrey-Goldberg
0 -
Jeff really hits that one out of the park, doesn’t he? Of course the only reason he can is that 1Password actually does hold up well under scrutiny.
0
