Stealing PINs via mobile sensors: actual risk versus user perception

1rabbit
1rabbit
Community Member

https://link.springer.com/article/10.1007/s10207-017-0369-x

I assume this means that any random website has a very good chance at inferring your 1Password master password if you unlock 1Password via the iOS extension while the site is loaded?(Assuming of course you don't use TouchID to unlock it)

Not sure I see an obvious solution but seems like a pretty serious problem.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Andrew_AG
    Andrew_AG
    1Password Alumni
    edited April 2017

    While it looks like it might have been a potential issue at one point (although only for 4-digit PINs at this point, if I'm not mistaken; longer passwords are apparently too long to determine, so far, from what I've read), it hasn't been one for over a year now, at least not in Safari on iOS, since Apple updated Safari in iOS 9.3 back in March of 2016 to fix this by suspending the availability of the motion and orientation data when the web view is hidden (see the security update details in https://support.apple.com/en-gb/HT206166). It's actually mentioned in the article you linked to but it is quite far down in the article so it's easy to miss.

This discussion has been closed.