If I was infected with OSX/Proton, is my 1Password data still secure?

ghoetker
ghoetker
Community Member

I was unfortunately bitten by the compromised version of Handbrake, which had a variant of OSX/Proton embedded (https://forum.handbrake.fr/viewtopic.php?f=33&t=36364). GRRR!! It probably ran for 2-3 days. To what degree, if any, is the information in my 1Password vault compromised? I have a family plan, synced iva 1Password's own sync service (which I love!!). Thanks!


1Password Version: 6.7.1
Extension Version: 4.6.5
OS Version: 10.12.4
Sync Type: 1Password
Referrer: forum-search:Vulnerability if infected with Proton?

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ghoetker: It's impossible to answer that question, but I can give you some information that might help. Generally speaking, if your machine is compromised, you should assume that the attacker has access to whatever you do.

    That sounds bad, but the good news is that anything you didn't may be secure. For example, if you didn't use 1Password at all while your machine was compromised and before you eliminated the problem, then you don't need to worry: your 1Password data is encrypted on disk until you access it, and not entering your Master Password to do so means it can't be captured.

    Now, if you did access 1Password during that time, they may have captured your Master Password. There are protections against this in the OS, but if the OS itself was compromised that may not help. it's important to note that 1Password does not decrypt all of your data when you unlock it; rather, it decrypts items on the fly as needed. But again, if an attacker was able to capture your Master Password, and they had access to all of the data on your computer, they could also capture your vault and decrypt it.

    However, if you're using a 1Password.com account, there's an additional protection that may help in this case: your Secret key is also needed to decrypt your data. So unless there was an opportunity for them to capture that as well, they won't be able to access your data or your account. But if there's any doubt, it's easy to login to your profile on 1Password.com and change both your Master Password and Secret Key.

    If you fall on the bad end of this spectrum, the best thing to do would be to start with your most critical accounts and change their passwords.

  • ghoetker
    ghoetker
    Community Member

    Thanks for one of the most informative and helpful replies I've ever received on a help forum. It sounds like I'm probably okay, but a bit of paranoia never hurt anyone--passwords already changed. Probably needed done anyway.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Wow. You're very welcome! And I agree with you wholeheartedly: a healthy dose of paranoia can help keep us on our toes. Stay safe out there, and we're here if you need us. :chuffed:

  • TampaGatorDad
    TampaGatorDad
    Community Member

    I read tonight that over the weekend, users of the Handbrake media encoder may have been compromised by the Proton backdoor trojan, after one of Handbrake's download servers was hacked. ArsTechnica has a story (https://arstechnica.com/security/2017/05/mac-users-installing-popular-dvd-ripper-get-nasty-backdoor-instead/?comments=1&vs=b), and one of the quotes states that 1Password vaults may be among the data that gets pilfered from systems, presumably for later attempts at decryption.

    My instincts tell me that, as a longtime user, there are many layers of security built into the app, and that even if a vault was copied or somehow stolen, the vault itself is inaccessible to others. However, I'd be more comfortable knowing more. My basic questions:

    • Do I have anything to worry about if my vault is copied?
    • If I've entered my primary password and unlocked the vault, am I open to this type of attack?
    • If I'm unknowingly infected before unlocking my vault, and then I subsequently enter my password to unlock it, am I now compromised?

    I ask because, although I do not think I have been infected (the article annoyingly provides the hash/checksum that confirms infection, but no such information to verify a legitimate installation), I just happened to run Handbrake tonight for the first time in a while and encountered some (but not all) of the events described in the article (i.e., I was prompted from within the program to update, which I did, not having yet heard about the trojan). Although the article (and elsewhere) notes that the in-app update for newer versions was NOT compromised, and I'm pretty sure I had a version higher than 1.0.x when I updated, I'm not absolutely certain.

    Thus, I'm taking precautions, but before I go crazy, I wanted to confirm if, within the realm of what's likely/reasonable, there is any more information related to how 1Password users might be impacted, if at all.


    1Password Version: 6.7
    Extension Version: 4.6.5
    OS Version: OS X 10.12.4
    Sync Type: iCloud
    Referrer: forum-search:Proton backdoor

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I just wanted to update here to say that there are reports that the at least some of the Proton variants that were including with the bogus HandBrake has been reported to send 1Password data vaults off to the attackers. This is all I know at the moment, and am investigating. (This will be a long night.)

    Note that an attacker who captures 1Password data from your Mac would still have to guess your Master Password to acquire that data.

    At this point we do not know exactly what information is collected.

  • bkendig
    bkendig
    Community Member

    I got hit by this. The trojan zips files into a directory (I forget the path - it's in articles discussing its behavior) and uploads them to the hackers' server. It doesn't delete the zipped files, so I had a look at them. Among other things, it captures the entire contents of the user's "Library/Application Support/1Password 4" directory.

    Assuming that it only copies files and doesn't dump memory or have a keylogger (this time), how bad is this? 1Password doesn't write the master password to disk at any point, or write an decrypted copy of the vault (or any part of it) to disk, does it? The hackers would have to crack my master password to have access to the vault?

    (It's been a long night for me, too; I spent a lot of hours changing my passwords.)

  • bkendig
    bkendig
    Community Member

    There's a good discussion going on at https://discussions.agilebits.com/discussion/comment/371268

    Also, you can look for the presence of certain files and a specific process to see if your Mac is infected. I don't remember the details; look for articles covering the behavior of the malware.

  • Drew_AG
    Drew_AG
    1Password Alumni
    edited May 2017

    Hi @bkendig,

    I'm sorry to hear you were hit by the Proton trojan! You're correct - no one will be able to view the contents of your vault without your master password, and your Master Password is never stored alongside your 1Password data. 1Password doesn't store decrypted data on disk (temporary files are created if you view an attachment though), and everything is end-to-end encrypted.

    We just posted an article on our support site with more information about this: Malware found in HandBrake open source video transcoder for Mac

    I hope this helps, but please don't hesitate to let us know if you have more questions about that. :)

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @TampaGatorDad,

    I hope you don't mind, but I've merged your post with another forum thread about the same topic. Thanks for writing to ask us about this!

    The other replies from AgileBits Team Members in this discussion should help to answer your questions, and we also have a new article on our support site with more information: Malware found in HandBrake open source video transcoder for Mac

    If you still have questions after reading that, please let us know! :)

  • bkendig
    bkendig
    Community Member

    I've been doing a lot of research about this today to find out how much I need to worry. The best writeup I've found about the malware itself is at "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/". (I see that's linked from the AgileBits support article, too.)

    It looks like this malware only uploads some files to the hackers' server (and sometimes the malware doesn't install properly, so it might not even do that). It also sends the admin password you type when it asks you to install some codecs. Presumably the hackers then use your admin password to decrypt the copy of the macOS Keychain that it uploads, so any passwords you store in the Keychain are at high risk.

    If you stored your 1Password master password in your macOS Keychain for some reason, then your 1Password vault is also at high risk. I don't know why anyone would store their 1Password master password in the keychain unless they really had trouble remembering it, but this is something to keep in mind.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @bkendig,

    One thing I forgot to mention yesterday is that there is one case where 1Password will store the master password on your Mac, and that's if you have a MacBook Pro with Touch ID, and you're using Touch ID in 1Password. For Touch ID to unlock 1Password, the master password needs to be stored in the macOS Keychain so it can be retrieved when unlocking the 1Password app.

    There are a few things that protect the master password in the macOS Keychain, but if that Mac is hit by Proton, the master password is at a much higher risk as Proton phishes for the macOS login password. I don't know if you have Touch ID on your Mac, but I wanted to mention that just in case you do. And if you do, you might also want to check out this support article: About Touch ID security in 1Password for Mac

    Again, please don't hesitate to let us know if you have more questions about that! :)

  • pervel
    pervel
    Community Member

    @Drew_AG: Now I'm confused. The document about Touch ID says the following:

    When you enable Touch ID, 1Password stores in the macOS Keychain an obfuscated version of a secret that can be used to decrypt your 1Password data. The secret is used to unlock 1Password when your fingerprint is recognized.

    That doesn't sound like it's the actual Master Password that's stored in the keychain.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @pervel,

    I'll ask someone here who knows more technical details to elaborate on this, but basically, your master password isn't stored in plain text in the macOS Keychain, but it is stored there (if you're using Touch ID). Please also note that the section you quoted in that article is titled "Your Master Password is stored in the macOS Keychain". ;)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Now I'm confused

    That is because it is confusing, @pervel. It is because the direct and technically correct answer isn't always the most helpful. It is true that your Master Password isn't stored anywhere, even when you use TouchID. But what is stored poses another route to decrypt your data without having to guess your Master Password.

    To fully understand the technicalities requires understanding, among other things, that there is a whole chain of keys between your Master Password and your encrypted data. Your data is not encrypted directly with your Master Password (a Master Password would make a very poor data encryption key, for one thing).

    The finer details also depend on what whether you are using 1Password accounts, or whether you are synchronizing your data with, say, the OPVault format. Although the innards of the OPVault format are not relevant to the TouchID question, the documentation for it has a nice introduction to this chain of keys.

    Each item key’s encrypted with the master key
    And the master key’s encrypted with the derived key
    And the derived key comes from the MP
    Oh hear the word of the XOR
    Them keys, them keys, them random keys (3x)
    Oh hear the word of the XOR

    Deliberate vagueness

    In general, we try not to rely on security through obscurity. But in this case, I would like to be vague in the hope that it will buy people some extra time. The attackers will be able to figure out the relationship between what is in the macOS keychain (for TouchID users) and how to decrypt the associated 1Password data with that. It is only a matter of time. But how much time will depend on their skill and the level of effort they put into it. But I don't want to say anything here that might save them a few hours (days? weeks?) digging around.

    On the one hand, I want to talk about the layers of defense we have put into this. And I want to let people know that even in the TouchID case it will take some time for the attackers to unlock someone's data once they turn their attention to it. But I do want to be vague in this specific situation.

    A simple "as if"

    So both because of the complexity of the thing, along with our desire for vagueness in this case, the most useful thing we can tell people is that they should treat the use of TouchID as if their Master Password is stored in the macOS keychain. The situation is more complicated than that, but that "as if" is the easiest way to communicate to people what the threat is in the case where

    1. Their macOS password has been captured for a Mac.
    2. Their macOS keychains have been captured from that Mac.
    3. Their encrypted 1Password data has been captured from that Mac.
    4. They have been using 1Password with TouchID on the Mac.

    Our advice has to reflect the fact that in the TouchID case, there is an attack that the bad guys can do that does not involve guessing at your Master Password. We don't know whether they will even try that line of attack. We don't know whether they will even go after "moderately" strong Master Passwords. They might just go after the very weak ones1. But we do have ideas of what they have the power to do if they have the skill and are willing to put in the effort.


    1. How can they identify the weak Master Passwords, you might ask. They can't until they try to crack them. But instead of trying, say, a million guesses on one person's data, they might try 10,000 guesses on one hundred people's data. It's the same amount of effort, but the later approach may get them a few very weak Master Passwords. ↩︎

  • pervel
    pervel
    Community Member
    edited May 2017

    @jpgoldberg: Thanks for the explanation!

    So I guess the conclusion is.... don't get hacked! :(

  • AGAlumB
    AGAlumB
    1Password Alumni

    Sadly, that's ultimately the only true failsafe. 1Password can protect your data from many threats, but it can't protect it from you. Once someone else has the same privilege level and/or information you do on your machine, they might as well be you. :(

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    So I guess the conclusion is.... don't get hacked!

    Well, yeah. But it is also "have a good Master Password". With the TouchID stuff aside, a good Master Password is a great defense. If you use a Master Password generated by our word-list generator then a Master Password that is four words long will stand up to about one million dollars of cracking effort. And for five words, we are talking about trillions of dollars.

    1Password was designed to withstand attacks similar to this (if people have decent Master Passwords). What is different in this case is the combination of the fact that the attackers got the macOS passwords and the fact that some of these users were using TouchID in 1Password for Mac.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    At the risk of going into yet more detail, I would like to take the opportunity to explain how Brenty and I are both correct. He said

    Once someone else has the same privilege level and/or information you do on your machine, they might as well be you.

    Or to put it another way: Once your computer is compromised, it is no longer your computer.

    While I said,

    1Password was designed to withstand attacks similar to this (if people have decent Master Passwords).

    Brenty is correct that no software running on a system can be protected if the system on which is runs is compromised. And I am correct because of what I swept under the rug of "attacks like this", 1Password is designed to defend you if the data from your own computers gets stolen. And that defense will depend on your Master Password. I was talking about attacks in which data from your disks is acquired by attackers.

    With Proton, however, the attack didn't just harvest information stored on the disk, it also ran a program that tricked people into telling it their macOS passwords. That changes things.

    Anyway, this illustrates why it is so hard to get a simple answer about security questions. It is complicated.

  • davethis
    davethis
    Community Member

    I was hit by this, but only entered my password on the first dialog box, not the second. I looked and I do not have the ~/Library/VideoFrameworks directory. I am also using 1password 6.7.

    My assumption is that since I do not have the ~/Library/VideoFrameworks nor the ~/Libary/Application Support/1Password 4 directory that I should be OK since I am using 1P 6 and not 3.9 or 4.

    I also have 2-factor set up on most major accounts.

    I am not worried if it uploaded my Key Chain as I went though the key chain and no important passwords were stored there. I am on an older MBP that does not have Touch ID.

    It is safe to assume I am safe?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @davethis: Please take a look at my earlier comments, as that's something you'll have to determine for yourself.

    I'm not certain about your comments regarding "VideoFrameworks", but 1Password 4, 5, and 6 all use the same support folder. It's impossible to use a recent version of 1Password and not have this, but it may be in a slightly different location if you're using the Mac App Store version. In that case, it would be ~/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper. Let me know if that helps.

This discussion has been closed.