1Password sends your password across the loopback interface in clear text
TL:DR 1Password sends your password in clear text across the loopback interface if you use the browser extensions.
Note: Running Mac OSX 10.11.3, 1Password Mac Store 6.0.1, Extension Version 18.104.22.168 (Chrome)
Last night i spent some time actually reviewing what was running on my system and what ports things were listening on when I saw that 1Password was listening to multiple ports on the loopback interface.
mango:~ ross$ lsof -n -iTCP
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
2BUA8C4S2 631 ross 12u IPv4 0x507c280b7bcfe03d 0t0 TCP 127.0.0.1:6258 (LISTEN)
2BUA8C4S2 631 ross 13u IPv6 0x507c280b75c30955 0t0 TCP [::1]:6258 (LISTEN)
2BUA8C4S2 631 ross 14u IPv4 0x507c280b7bcfd735 0t0 TCP 127.0.0.1:6263 (LISTEN)
2BUA8C4S2 631 ross 15u IPv6 0x507c280b75c2e3b5 0t0 TCP [::1]:6263 (LISTEN)
2BUA8C4S2 631 ross 18u IPv4 0x507c280b7fd6603d 0t0 TCP 127.0.0.1:6263->127.0.0.1:49303 (ESTABLISHED)
2BUA8C4S2 631 ross 25u IPv4 0x507c280b9e36b24d 0t0 TCP 127.0.0.1:6263->127.0.0.1:56141 (ESTABLISHED)
This got my curious as I wasn’t running any server feature (the Wi-Fi server feature) or anything like it so I decided to sniff the traffic and use 1Password to see if anything happened.
tcpdump -i lo0 -s 65535 -w info.pcap
Once i had a bit of data, I imported it into Wireshark and saw the following stream.
If you follow that stream you can see the following in clear text if you fill a website username/login field with 1Password.
So it appears 1Password is sending data to the browser extensions over the loopback interface in clear text and not only passwords but credit card data as well if you use it for checkout forms. If anyone is sniffing your loopback they can get any data passing between the two. I haven’t dug into it much more than that as things are a bit hectic.
I also looked at Dashlane and how they did this type of communication and everything was encrypted. I have not checked out Safe-in-Cloud or Enpass.
Note: I reached out to agilebits via their email, they didn’t have a security email but they have a standard support email email@example.com, which tells you that you can email firstname.lastname@example.org for urgent issues. I emailed both not too long ago and would call them but they hide their whois info and don’t provide it on their website. They really really really want you to use their support forum.
Since this deals with people’s passwords, is a local to the device issue and is so easy to do I thought quick disclosure would be a good idea so people can decide whether or not to disable the browser extensions.
Update (3/2/2016 11:39 pm MST): I’d like to add a note, I’m not saying don’t used 1Password and I’m not saying this is a massive security issue. I was simply telling people so they knew. I’m a bit surprised about some of the 1Password responses about how this was already known.
From 1Password’s own website:
“The connection between 1Password mini and the browser extension is authenticated and secure.”
You can read further on their link here where they do put caveats and say that if someone has root on the system they basically can’t protect you. Which is true, but I feel they should make it a little harder then tcpdumping out the loopback interface. They feel whatever they do can just be undone by an attacker, I think maybe something is better than nothing.
I think it has been a good discussion on both sides. I have learned to be a lot more clear and include a lot more details in the future. The 1Password team seems like a great group of people.
Side note: Dumped out Safeincloud’s stuff, it looks like they encrypt or obfuscate the fields