Jeff,
Mario Esposito
11

I’m sorry Mario. I think you have misunderstood the nature of the issue and of the threat. 1Password never transmits or stores your data unencrypted. But like others you may have misunderstood what the “loopback device” it. Machine have “loopback devices” even if they have no networking hardware in them at all (no wifi chip, no ethernet). Loopback is just a way for one process on a machine to talk to another process on the same machine.

There are very good reasons why it looks like a real network traffic (and those reasons are why we use it), but despite its similarity nothing is going out onto the network, it isn’t even reaching any network hardware.

Listening to the traffic on the loopback device (normally) takes root priviledges. So the attacker, to do this, would already have complete control of your machine. If anyone tells you that they can protect ative secrets on a machine on which the attacker has root privileges you should head for the hills. We wouldn’t make such a ridiculous claim, and I don’t believe that any of our competitors would either.

The data that is being captured by this “attack” is exactly the same data that is going into forms in your browser. Exceedingly simple malware in your browser (far less powerful than this “attack”) could get the same information. And that in browser attack is not in anyway affected by any password manager. It would be the same whether you use 1Password, any competitor, or typed the passwords in themselves.

Furthermore, as I pointed out in my first response, the actual behavior here has been publicly discussed before. What you see is simply not the threat it may first appear to be.

At any rate, thank you for your support. I hope it continues, but thank you either way.

Show your support

Clapping shows how much you appreciated Jeffrey Goldberg’s story.