Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Lastpass Was hacked!
- Thread starter Michaelgtrusa
- Start date
- Sort by reaction score
Of course, while everyone is fleeing to 1Password, make sure you read today's front page article on the new iOS and OS X security flaw that allows someone to access your private data because of 1Password's integration with keychain.
1Password has nothing to do with the OS X / iOS keychain. This attack was between the 1Password browser extension and the background process called 1Password Mini and their communication. The attacks on 1Password were only successful when the target user first downloaded the malicious app additionally, this malicious app has to run before 1Password Mini does.
As this and this post by Agile staff points out, almost all of the 'work' required for a regular user to get hit by this is done by the user, not being vigilant with what they install on their machine & not allowing 1Password Mini to run at login.
Like all of these services, they're actually only as strong and protective as their users. You'd be surprised how many people I know that use 1Password (on my own and others recommendation) and are using a simple 6 character password because it's 'easy to remember'.
Edit: Fixed the links.
Last edited:
Hahahahah, I watched the two videos. More bs meant to scare Apple users. This is pathetic and barely an exploit at all. A 12 year old could figure these out in an afternoon. Apple doesn't even need to fix this. That's how pathetic these "exploits" are.
Laughable "Exploit" #1:
* A malicious app tells Keychain Access to store a "blank" password for a site (like Facebook.com), with access rights by both Google Chrome/Safari/Whatever browser, *and* the evil app.
* The user logs in to the site and tells their browser to save the password, which puts the real (non-blank) password in the Keychain.
* Since the evil app created the keychain entry, it still has access to read it and can see the real password.
* This exploit requires that the malicious app knows your website login username/email already, so that it can create a dummy entry with the correct login name, so that the browser will update that exact Keychain Access entry with the password.
* This exploit only works if there's NOT ALREADY a password entry stored for that site. If there's an existing entry, it cannot overwrite it/add itself as access to it without triggering OS X's "allow this app to access Facebook.com in your keychain?" dialog, which means almost nobody will be hit by this exploit since most people have already stored their passwords.
* This is not a flaw of Keychain Access. It's working as intended: Allowing more than one app to access keychain access entries. Although Apple *might* want to lock it down so that apps can only add themselves (not other apps) to the access list. If so, it would be impossible for a malicious app to add the browser to the access list of the dummy/blank login. Although this would just cause the browser to trigger the "allow the browser to access Facebook.com in your keychain?" dialog, and most people would accept that, so it wouldn't really solve the problem. And as mentioned, it's an extremely minor problem and requires that the exploit knows your email/username for the site *and* adds the Keychain Access entry *before* the browser has added any. For most users, they will already have entries for all sites they use, so the malicious app can't do jack sh$t. And again: A malicious app needs to know your exact email/username as well, which is already extremely unlikely.
* Lastly: 1Password does not use Keychain Access. At all. Use that password manager instead. It's also far more portable, working on Windows and iOS as well, and has Dropbox sync. And of course it lets you store all kinds of other useful, secret data, like Software Licenses.
Laughable "Exploit" #2:
* A malicious sandboxed app is able to read files from other sandboxed apps. The researchers call this "cross-app resource access" or XARA for short.
* (Not shown in the video, but far more serious) A malicious non-sandboxed (non-App Store) app can read any file the user owns on the filesystem.
* When you can read files on their system, you can of course steal secrets from other apps.
* This is not a problem: 1Password's secrets are encrypted. I would happily email my entire 1Password database to the NSA. Having the database is worthless if they don't also have the password, and my password takes hundreds of trillions of years to crack, so not even the NSA can do it (*period*; it's mathematically impossible even if they had ten thousand working quantum computers).
* What is a problem is that malicious apps can steal unencrypted user files and send them away. But that's always been a problem on every OS ever. Don't install/run weird software.
* As for sandboxed apps: Yes, Apple should fix it so that sandboxed apps can't read each other's data directories. But it's a very minor issue. Your system is already no-doubt full of non-sandboxed software, and *that* software has access to the *whole* filesystem. A sandboxed (App Store) app only has access to its sandbox and the sandboxes of other App Store apps.
Last edited:
It is only an issue if someone downloads a malicious app that can specifically do what the front page is talking about. Best thing to do right now, in my opinion, is not download any new apps, until Apple releases a statement on the matter. Doing that greatly reduces the chance of having a problem.
Regarding today's news, there's a lot of miscommunication going on, we need to wait and hear from the right folks. The media is likely as usual blowing this out of proportion and of course, is more likely to have misunderstood what the report actually said.
LastPass was breached but they did the right thing in communicating to users what happened and explaining what to do next. Just like today, some of the reports blew it out of proportion on what happened.
LastPass was breached but they did the right thing in communicating to users what happened and explaining what to do next. Just like today, some of the reports blew it out of proportion on what happened.
The right folks:
https://twit.tv/shows/security-now/episodes/512?autostart=false
(He's a genius, but very verbose... so only watch if you're very interested. Starts at around 9 minutes or something...)
Show summary:
https://www.grc.com/sn/SN-512-Notes.pdf
Last edited:
You say "all a user has to do" as though every user was as smart as the users on this forum. They're not. And they're likely to do everything they're not supposed to do.
Hi folks,
We wrote up a blog post on this one since we wanted to let everyone know exactly what was going on. You can read it here.
I hope that helps clear anything up regarding 1Password. I really don't want to hijack this thread but since it was brought up here rather than a separate discussion it was kind of the only option for this particular scenario.
If anyone has any questions let me know and we'll get you the answers you need.
Thanks!
I second 1P although I admit that I keep the encrypted database file in dropbox so it is available to all my devices. I have a pretty decent master password so presumably even if DP got hacked they would still need to break the encryption on the database.
Keeping a stick in a safety deposit box is pretty serious. Do you keep your NSA logins in 1P?
1P does not store data in the OS X Keychain. In fact people were asking them to do this and they declined, looks like they were right. The vulnerability lies in when data is passed from 1P to the 1P mini browser.
The bottom line is that to exploit this weakness in OS X (which Agilebits can do very little about, it's up to Apple to fix it), you must download and install a malicious app. If you do this then all bets are off on password protection anyway, it could be a key logger, take screenshots etc (ie nothing to do with 1P).
At the end of the day nothing has changed, don't download apps from places you don't trust. That's not to say the security breach shouldn't be fixed, I'm sure Apple will but there is no need to panic any more than usual.
Although I use 1Password this is hardly a reason not to use LastPass.
Anyone that had a strong master password has nothing to worry about. I use Dropbox to synch all my devices that have 1Password, and this would be no different if someone hacked them and took my vaults from them. And even still I wouldn't be worried since I have a strong master password.
It's all about that master password with these managers!
Side note: in regards to the new XARA exploit... just don't use the plug-ins for the managers. Copy/paste from the apps. Problem solved. 1st world problems of having to take an extra 5 seconds to login.
Anyone that had a strong master password has nothing to worry about. I use Dropbox to synch all my devices that have 1Password, and this would be no different if someone hacked them and took my vaults from them. And even still I wouldn't be worried since I have a strong master password.
It's all about that master password with these managers!
Side note: in regards to the new XARA exploit... just don't use the plug-ins for the managers. Copy/paste from the apps. Problem solved. 1st world problems of having to take an extra 5 seconds to login.
Yep. I do the same. My 1Password syncs to Dropbox from my phone and my Wife's phone. Same account.
That would open you up to other problems. If you're copying and pasting to the OS X clipboard that is a lot more vulnerable, malware has been monitoring the clipboard for years now. If you're just typing in your password then you're susceptible to a key logger, at this stage a much more common form of malware than one taking advantage of the XARA exploit.
You're best off not downloading and installing software from dodgy sources in the first place.
Last edited:
Horrible advise you're giving because you're clearly not understanding the issue here.
First of all, your clipboard is about the most insecure storage on the computer. No, that does not solve the problem and will make it worse, you're actually giving your malware more information.
Any malware using the XARA explicit can only capture whatever is passed from 1Password mini into the browser extension, so if you're filling just a username or password with no username, you're only passing these specific values in and these values are picked up. As long as the extension doesn't pass anything in, there's nothing being picked up.
Copying and pasting requires no XARA exploit, any common keyloggers can capture everything you copy to your clipboard (which by its nature is public to every process on the system). This means username, password, credit card, you copy will be copied by the malware process as well on. That's why 1Password and other password managers avoid using the clipboard as much as possible, absolutely nothing prevents the clipboard from being sniffed. The way password manager extensions handle things are more secure.
Your best option is to prevent malware in the first place, which is to avoid installing stuff from shady sources and to avoid installing random apps that you have no advanced knowledge of.
But its password vault is not stored in keychain. The 1Password folks address their security in this blog post
No app is perfect but I think any app that keeps your passwords and information local on your computer is superior to that which keeps your sensitive data on their servers. That's just asking for trouble, this isn't LastPass first problem with hacking and it won't be the last.
Personally as I mentioned, I'd rather be the one responsible for maintaining the security of my passwords, not trusting another company.
minikeepass user here. It uses a data base and a keyfile. So you need both to unlock - password and keyfile.
based on keepass X open source software which has been looked at by security people to ensure it does what it says it does with no backdoors etc.
Does your password manager allow the same inspection?
based on keepass X open source software which has been looked at by security people to ensure it does what it says it does with no backdoors etc.
Does your password manager allow the same inspection?
As far as I can see Minikeepass is an iOS app, correct?
So the current XARA exploits don't apply. However a pretty major weakness is that it copies your password to the clipboard.
Copy paste - It has a time out feature for that. You set the time out. Or you could just read the password and type it in. A pain in the ass but upto you. It also has the built in safari web engine view so you can stay in the app.
I completely agree. I prefer to store passwords locally. I really like 1Password's wifi sync feature. I get the convenience of all my devices synced, but my sensitive data never touches the cloud.