Password sniffing by other applications (Pomodoro)

fastSLOW

I registered an account at a website and used 1Password's handy account creation pop-up dialog box (generated by the password extension for Safari) to save the account details. When I went to check on the new account in the main 1Password application I noticed an odd URL was added to the account (in addition to the actual webpage):

app://com.xwavesoft.pomodoromac

The URL appears to be a link to the pomodoro application that often runs on my Mac (it is a menu bar application purchased in the mac app store). The Comodoro app was running when I made the account.

The fact this URL has appeared during an account creation step makes me concerned that either the pomodoro application has Malware behaviour or that 1Password activity can be easily snooped on by other applications.

Should I be concerned? If not, how on earth did that internal application URL end up in 1Password?!

Thanks

---

1Password Version: 5.3
Extension Version: 4.4.3
OS Version: 10.10.5
Sync Type: iCloud
Referrer: forum-search:pomodoro

littlebobbytables

Greetings @fastSLOW,

It turns out I managed to forget a certain behaviour in 1Password mini until I was recently reminded of it.

When you generate a password using 1Password's Password Generator we store it as a safety measure, a wise one I'm sure you will agree. If your web browser is the active application when this happens 1Password mini will ask the extension for the title and URL of the active tab on the reasonably safe assumption that is the intended target for the new password. That way should you ever need to look back you can see why this Password item might have been created.

Now if another application is in focus when the password is generated it picks up the name of the application for the title and the URL is instead a generic URI for that application as supplied by some OS X call. So this is how URLs starting with app:// can come into existence. Now, how did it end up in a Login item?

So you've generated your lovely new strong password and then you go to use it on the site. Now we have the password stored as a Password item but to be of more use you want to create a Login item. You visit the site, enter your login credentials and 1Password offers to create a Login item. What you don't see in the background is 1Password notices it's the same password as in one of your Password items so it converts that Password item into a Login item, keeping all the current fields. It updates the title to reflect the site in question and adds the URL for the login page.

The confusing result though is a Login item that has both the real URL and an app:// URI. Heck, it took me a moment or two to put this together myself, I was even writing a slightly different response when all the pieces fell into place.

So other applications aren't looking at what you are doing, they were merely in focus when 1Password mini was opened. Nor is 1Password listening to what you're doing in other applications as we only interact with the 1Password Browser Extension (I'm not counting asking the OS what application is active as real interaction) but it's something that does raise an eyebrow the first time you see it. Given we don't interact with other OS X applications I'm not sure what benefit adding the URI does.

I hope this helps a bit but if you have any follow up questions at all please do ask :smile:

fastSLOW

@littlebobbytables - Thank you for the detailed answer, the only remaining issue is that I didn't at anytime (that I recall) switch focus to the Pomodoro app. In fact I forgot it was running as I haven't used it for weeks. Could Pomodoro be capturing focus programatically? I however acknowledge that it is also possible that I clicked on the Pomodoro menu app prior to 1Password mini, but it sits quite a ways away from my 1Pasword mini app and I feel this is unlikely (thought not impossible).

Also it wasn't clear why both URIs were captured. Was the app:// URI captured when the password item was created (via password mini) then the webpage URI added during the conversion process from the password item to login item? In other words the main 1Password app amalgamates all fields when converting a password item to a login item?

If so that is an odd edge case, not sure you would want to change the behaviour though, as it is not a good idea to jettison fields without user approval.

littlebobbytables

Greetings @fastSLOW,

You've nailed it, the app:// URI was stored in the Password item when it was created as according to OS X Pomodoro was the application in focus at the time. Then when 1Password realised the password was for the Pomodoro website (you would have logged into their website using the same password) it converted the Password item, retained all the fields and then added the correct URL. It's odd and rare enough that I had to do some playing about to finally discover how this happened having not seen this before. I can't comment much on the Pomodoro application as I know nothing about it I'm afraid. It might be easy to reproduce with their application or it might have been a freak occurrence. Hopefully the explanation though at least offers some reassurance as to how safe your data is and whether it has been exposed the answer being that while we startled you, your data is safe :smile:

fastSLOW

@littlebobbytables - Thank you for the follow up. I feel much more confident in what 1Password is doing behind the scenes. Capturing an app URI from the last focus is external to whether or not an app could hypothetically be sniffing and logging OS transactions. Proving or disproving the latter would require deep forensics (well beyond my current skill set) and is really tangential to the issue at hand (any application could theoretically have a malware payload).

As such, I will refer to Hanlon's Razor and consider the issue closed.

Thanks again for your detailed and thoughtful replies.

littlebobbytables

I'm glad we could help and reassure :smile: