Cross-App Resource Access (XARA)
Comments
-
Today's Headline in Forbes: Apple App Security Fails Leave Macs And iPhones Vulnerable To 'Devastating' Attacks
".............. Another Mac OS X flaw involved WebSocket, used to display web content in apps. Thanks to a lack of authentication, it was possible for a malicious app to hijack a port supposed to be used by a legitimate app to access that web content. The study saw the 1Password password management app attacked in this way to access credentials."
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
In the meantime I'm disabling Safari and Chrome 1PW extensions and copying and pasting passwords via the 1PW mini app icon in the menu bar.
@eltel, I believe it is much easier for malware to grab data from your clipboard than to exploit the issue discussed here. It is much safer to use the extension than to be shuttling passwords on your clipboard all the time.
Also, folks, keep in mind that if a malicious app gets installed, it could just replace 1Password to steal your master password and data more directly. There is no need to do the WebSockets dance.
If you haven't yet seen @jpgoldberg's blog post, he expands a bit more on this there:
…roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser.
Here is the post:
1Password inter-process communication: a discussion
Please do give that a read and let us know if you have any additional questions or concerns.
0 -
I'd like some clarification on this too. I read the blog post and I have a couple of questions.
1. Does this problem effect equally the both the version of 1password bought through App store and the one bought through Agile Bits website? Would it be any easier to fix on the latter?
2. The blog post mentions that the biggest issue is mutual authentication between the main 1password app and 1password mini. It also mentions that using an encryption key won't help here. I don't understand why. Why can't the app generate a public-private encryption pair upon installation and rely on it for all further authentication between the main app and the mini? Could somebody explain please?0 -
So 1Password is no longer secure? Can the program still work securely How much risk? When fixed?
This is very concerning. Please advise what your software users should do.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
I am concerned about the recently exposed threat with 1Password passwords being intercepted on OS X.
Jeff said in his post https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/
"Remember that the browser extension never sees your Master Password"
Maybe I'm not understanding it. I'm using 1Password 5.3.2, Firefox 37.0.2 and OS X 10.10.3. If I want to log into a website I click the 1Password icon in firefox [not the 1Password min icon or the app] I am prompted for my master password if the vault is locked.- Is this firefox passing my request to 1Password mini ?
- Does this represent a way for a compromised browser or plugin to capture my master password - by presenting a mockup of the unlock dialog ?
- Would it be better practice for me to first unlock the vault using the 1Password app rather than entering my master password at the browsers prompt ?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
A bit of housekeeping: I've just merged several related threads from the Mac forum into this thread. It may be a little messy, but it's much better to keep all conversation about a specific topic like this in one thread. Thanks! 8-)
0 -
The security paper seemed like it was about Apple's sandbox approach and the demonstrated potential to introduce malicious apps to OS X. 1Password was just an example yes ? They showed how a malicious app, once installed on OS X, could trick a 1Password browser extension into IPC communication.
My question - could the same thing happen on windows - do the browser extension and the 1Password app use the same mechanism to communicate ?0 -
I see that Apple announced a security flaw that may make 1Password vulnerable. Any advice? Thank you.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
This content has been removed.
-
What about the recently reported flaw in Apple's software; does 1Password protect against compromise. See link:
1Password Version: 5.3
Extension Version: Not Provided
OS Version: 10.10.3
Sync Type: dropbox0 -
The issue isn't about a system being pwnd (is it? ) ... I'm not sure how being pwnd is relevant?
@EuroTrash: Yes. You need to run malicious code on your system for an attacker to take advantage of the inter-app communication limitations. This isn't something that can just spontaneously happen by viewing a webpage or merely downloading an app.
If 1password mini can be faked (App Store issue? ) why can't it get my vault password and with it the all keys to my kingdom?
Precisely. In order to be affected, you need to have malicious code running on your system with your user privileges. And once that happens, all bets are off. See below.
The security paper seemed like it was about Apple's sandbox approach and the demonstrated potential to introduce malicious apps to OS X. 1Password was just an example yes ? They showed how a malicious app, once installed on OS X, could trick a 1Password browser extension into IPC communication.
@idontno: On OS X a malicious app can impersonate any other app and take ownership of its system keychain items, and the target will not know that it is now a "guest", using the keychain items now owned by the malware.
My question - could the same thing happen on windows - do the browser extension and the 1Password app use the same mechanism to communicate ?
It isn't clear at this time if this could be done on Windows. Even if it were possible, it would be similar in principle but novel in execution (due to platform differences). Essentially someone would need to find their own way in. The way 1Password itself communicates is the same on both platforms, but someone would have to do the work there to determine if it can be done.
@jasnw: Sorry for not being clearer (I tried really hard, but it was a late night for me)! John Graybosch said it much better than I ever could:
There’s only so much you can do. It all comes down to ‘once you have malware on your computer, it’s no longer your computer.’
Let's review what's required for the communications between 1Password mini and the browser extension to be compromised:
- You download malicious code to your computer. There may be some hurdles here if it is something that managed to get approved for the App Store. Even legitimate apps have trouble getting approved, and sometimes get flagged as malware, so this is no small feat.
- You execute the malicious code on your computer. Even if it is something from outside the App Store, you'll need to confirm that you want to run software you "downloaded from the internet" that's from an "unknown developer". I think we're all familiar with this message. At this point it can impersonate you, since it's running with your user privileges.
- (Optionally) you continue using the computer normally, giving the the malicious code the chance to exploit the connection between extension and mini should the mini be restarted for some reason.
(Note: this is what you the user must do, in addition to the work that must be done by the attacker in preparation and execution of the attack)
At this point you've already installed malicious software ("malware") on your computer, which can either
A
try to masquerade as 1Password mini and wait for passwords to capture on the fly,B
pose as 1Password to capture your Master Password to decrypt all of your data, or — more "helpfully" —C
it can simply sit back and collect anything on the system that can be accessed with your user privileges and wait for you to elevate or unlock data that is not already available (such as information stored in 1Password). When an app is running as you it can see the same things you can.If it were me, call me lazy, but I'm not going to bother trying to impersonate 1Password mini when I can simply sit back and collect data (clipboard, screenshots, information sent or received in the browser itself) while the user does the work for me.
0 -
Just to clarify a few things, despite linkbait headlines, the "keychain zero-day vulnerability" does not apply to iOS since the source of the vulnerability (Access Control Groups) does not exist on iOS to begin with. It seems that there are a lot of claims being made "on behalf of" the researchers on "news sites" that aren't borne out in the actual research.
It probably isn't helped that a few different vulnerabilities that differ between platforms are being lumped into a single category ("XARA") under a single banner ("Unauthorized Cross-App Resource Access on Mac OS X and iOS") probably didn't help, so there's probably a combination of sensationalism and confusion surrounding this, even from news outlets that are ostensibly more tech-savvy. Here are some highlights from the paper which I've typed up here (god forbid they allow anyone to copy and paste!) since they relate to some of the questions that folks have been asking in this thread and others (emphasis mine; typos theirs):
Ultimately, any apps may be susceptible to the same system exploits; only the stakes are different (passwords versus shopping lists).
The fundamental cause for the ZARA flaws is unprotected cross-ap resource sharing and communication. Comparing OS X with iOS, the latter is relatively securer simply because it does not support credential sharing (among different apps) through a keychain item and sub-target sharing (e.g., framework) through container, nor does it provide any complicated IPC mechanism like distributed objects. For every avenue opened across apps, proper authentication should always be in place. Otherwise, an XARA risk may show up.
Interesting. You mean these vulnerabilities might not apply to each platform in equal measure?
A straightforward solution is to strip some functionalities from the keychain, making it simple. Actually, iOS does not have this issue, because its keychain does not support the ACL at all: every app is only allowed access to its own item and there is no flexibility to let a group of apps share secrets except those by same developers.
So, we see here — finally — that iOS is not even vulnerable to most exploits outlined in the paper (notably keychain).
The cause of the problem could be the convenience given to the app developer to share frameworks, helpers or XPC Services in different apps. Particularly, in our study, we scanned 1,612 apps from the Mac App Store and found 40 frameworks shared by different developers, e.g., Dropbox-OSX.framework used by 14 apps for subscribing the Dropbox service.
Note: 1Password for Mac and Windows do not use Dropbox frameworks; they write data directly to the filesystem and the Dropbox app syncs it. Although for different reasons, Dropbox (as it relates to 1Password) is not vulnerable on either iOS or OS X.
This security risk is not present on iOS, on which the containers of main programs and sub-targets are put under different parent directories, and most importantly, they are named with randomly generated UUIDs. Again, the simplicity of the container structures here could be the result of limited functionalities of iOS apps, which do not need to extensively share resources among them.
Secure by design. Nice job, Apple! So far, though, this sounds a bit better for iOS than OS X. Tell me more!
With its careful design, this access-control mechanism was found in our research to still contain security-critical vulnerabilities, allowing a malicious app to hijack a target app’s keychain item. One scenario for this exploit is that when the malware runs before the victim app creates a password (or rather a keychain item) in the keychain. What the attacker can do here is to use the attributes of the target app (the victim) to claim an item and also craft an ACL that includes the target as a trusted app. When the target uses the keychain to store password, it discovers the item as its own secure storage (illustrated by the Apple’s template code in Figure 2). Note that this is reasonable given that an app’s older version or other apps from the same developer may have already been installed on the system. Since the target is on the ACL of the item (which is controlled by the attacker), the OS allows all its operations to proceed. Therefore, at no point the target gets any indications from the keychain that it is just a guest user of the item, and the owner is untrusted. This confusion will cause the target to divulge its secrets to the attacker, whenever it updates the user’s credentials to the keychain.
The takeaway here is that, again, once you execute malicious code on your system (especially one as open as OS X) the ceiling is the limit (due to user privileges) when it comes to what an attacker can do. But significantly, a malicious app still cannot access your 1Password for Mac or iOS Master Password. In the case of the Mac, 1Password does not save your Master Password in the OS X Keychain (in spite of users requesting that we do so). And in the case of iOS, even if it is stored in the iOS Keychain for use with Touch ID, iOS apps simply cannot access each other’s data.
In the end, everything that was successfully exploited as described in the research paper depended on malicious apps being installed and executed by the user. While overall this has been a great deal of bad news for users in general, the good news is that we do not have to cede control to malware. We have the power.
For perhaps more enjoyable reading (and better writing overall), definitely check out this great overview from iMore:
No one needs to panic, but anyone using a Mac, iPhone, or iPad should be informed. Until Apple hardens OS X and iOS against the range of XARA exploits, the best practices for avoiding attack are the same as they've always been — don't download software from developers you don't know and trust.
0 -
Dear all,
what should i do to avoid Xara weaknesses in Mac OS X and iOS: Serious Vulnerability. Should i uninstall 1Password?
It looks like that Apple has NO fix at the moment. I'm worried have all my private info stored. I do not us sync on iCloud.
Thanks for helping me.
Peter1Password Version: 5.3.1 (531001)
Extension Version: 4.3.1
OS Version: OS X 10.10.3
Sync Type: None0 -
Hi there,
I use 1password and find it an extraordinary app. I was just wondering whether the xara-leaks on iOS and OSX have any bad effects on the 1password app. Is the app in any way less safe because of this leak?
Thanks and best regards
Friedrich1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
did you know the unauthorizes XARA glitch at 1Password? please see following link:
what are the next steps to prevent somebody steeling my authentication tokens, usernames and/or passwords?
what possibly can i do to prevent this?regards
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
I second this request.
Full report here:
Unauthorized Cross-App Resource Access on MAC OS X and iOS .
0 -
I second this request.
Full report here:
Unauthorized Cross-App Resource Access on MAC OS X and iOS .
0 -
Yes, it is theoretically less safe (the issue would not affect your master password or your vault, but individual passwords could be stolen).
In practice it's not that bad, as malware would have to be downloaded installed, and actually run before any damage could occur. And if you don't run programs you don't recognise, that removes a way of attack. One of the issues, though, was that the researchers were able to get their malware into the App Store, so (again in theory) you might get an app from there that you thought was safe but wasn't.
For more information look at https://discussions.agilebits.com/discussion/42900/osx-and-ios-1pw-keychain-vulnerability-report-on-the-register#latest and https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/
0 -
1PW is theoretically less safe (the issue would not affect your master password or your vault, but individual passwords could be stolen).
In practice it's not that bad, as malware would have to be downloaded installed, and actually run before any damage could occur. So if you don't run programs you don't recognise, that removes a way of attack. One of the issues, though, was that the researchers were able to get their malware into the App Store, so (again in theory) you might get an app from there that you thought was safe but wasn't.
I don't see that there is any vulnerability if you simply do not run any programs you haven't already run.
For more information look at https://discussions.agilebits.com/discussion/42900/osx-and-ios-1pw-keychain-vulnerability-report-on-the-register#latest and https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/
0 -
According to the article, the researchers have gone public. The researchers were able to upload boobytrapped malicious apps to the official App Store without being spotted by Apple. Do you have an update from Apple? Any recommendations as to how to safeguard our 1Password username and passwords? Link to source document below. Thanks for your guidance, Walt
"Specifically, keychain credentials for high-profile services (e.g. iCloud, Gmail, Google Drive, Facebook, Twitter, LinkedIn, etc.) and any web accounts in Google Chrome are completely exposed. All their passwords and secret tokens can be collected by the adversary. Those vulnerable to the IPC interception include Keychain Access, Evernote, 1Password, Pushbullet, etc. Their sensitive data, such as authentication tokens and even current OS user’s username and passwords are up for grabs. The scheme vulnerability was found in 1Password, Dash- lane, Evernote, Kindle, Adobe Revel, Wunderlist, etc., on OS X, through which app users’ credentials can be gathered. On iOS, popular apps like Pinterest, Instagram, U.S. Bank (banking), Citi Mobile (banking), PayPal, Amazon, WhatsApp, Dropbox, etc., were found to be exploitable. Their authentication tokens and other information can be stolen."
"Note that all the attack apps were successfully released by the Apple Stores. So, the security threats are indeed realistic."
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
ok, thanks!
0 -
@Thomas_U: that's the same link
@danco: thx for your comment!You wrote: ...(the issue would not affect your master password or your vault, but individual passwords could be stolen)...
that's exactly what i'm afraid of!!!
You wrote: ...One of the issues, though, was that the researchers were able to get their malware into the App Store, so (again in theory) you might get an app from there that you thought was safe but wasn't.that's indeed the biggest issue! which apps are save and which not??? isn't there another securer way to communicate between apps? did you possible have planed workarounds/other ways to communicate between apps for further releases?
You wrote: ...I don't see that there is any vulnerability if you simply do not run any programs you haven't already run. ...
so i've to stop all activities at AppStore and never download/run an app from the internet by now?!?!? that shouldn't be the FMO for my MAC and for 1PW ;)
0 -
@Bit_Hunter_2015, @Thomas_U, I've merged your posts with the existing discussion. Please do give the above a read, and let us know if you still have further questions. It's a lot to take in, but we've replied to many of the same questions already.
0 -
Also, folks, keep in mind that if a malicious app gets installed, it could just replace 1Password to steal your master password and data more directly. There is no need to do the WebSockets dance.
That's a little disingenuous. An app that could replace 1Password would need to be privileged. And very sophisticated to escape detection. As I understand it, the WebSockets exploit can be done by an unprivileged app, which is what makes it so dangerous.
0 -
@peterstampfli, @Thomas_U, @Friedrich,
I deleted a couple duplicate posts and merged the rest with this existing thread. Please do be sure to read our blog post and let us know if you have more questions:
1Password inter-process communication: a discussion
Getting a user to install malicious software is required in both cases. 1Password itself does not run as admin in a normal user account.
Please be sure to read the blog post and the "What can be done?" section in particular where we address your concerns directly.
0 -
@Bit_Hunter_2015 (especially)
I'm not an AgileBits employee, just an experienced user, so I have no information about planned workarounds. In this thread and the blog post, you can see more. The developers are thinking about what can be done.
And, yes, my comment about not downloading apps was a rather extreme answer. You could go to the other extreme, and simply not worry, the risks are small if you are normally careful. I do install programs that are not from what Apple calls "identified developers" if reviews suggest they might be useful. I think I may not install any other such programs at present, though. And maybe not install apps from the App Store unless I know something about the developer's history.
I do hope Apple are looking at how the researchers got the malware accepted in the App Store, and working out ways to prevent it in future.
0 -
Hi @schralp,
I've merged your post with an existing discussion on this topic. Khad's post above also links to the article that Hawkmoth mentioned. There's some great discussion in this thread already, but if you have any further questions, please let us know -we're happy to help!
0