OS X/iOS flaws may make passwords vunerable


Dan Goodin:

Researchers have uncovered huge holes in the application sandboxes protecting Apple's OS X and iOS operating systems, a discovery that allows them to create apps that pilfer iCloud, Gmail, and banking passwords and can also siphon data from 1Password, Evernote, and other apps.

Interesting situation that seems to expose users even without granting an application administrative rights. It appears, however, the flaws with regards to website passwords may be no worse than installing a malicious browser extension.

1Password developer Agile Bits responded to the situation saying basically there are no easy fixes to the situation. They recommend being vigilant in installing software and extensions. Additionally, as far as 1Password goes, the exploit appears to require the absence of the 1Password mini background app. Ensuring that 1Password mini is properly running should provide some shelter as the browser transmits passwords to 1Password.

Agile Bits
The threat is that a malicious Mac app can pretend to be 1Password mini as far as the 1Password browser extension is concerned if it gets the timing right. In these cases, the malicious app can collect Login details sent from the 1Password browser extension to the fake 1Password mini. The researchers have demonstrated that it is possible to install a malicious app that might be able to put itself in a position to capture passwords sent from the browser to 1Password.

Note that their attack does not gain full access to your 1Password data but only to those passwords being sent from the browser to 1Password mini. In this sense, it is getting the same sort of information that a malicious browser extension might get if you weren't using 1Password.

The distinction is that with regards to 1Password, the only password that is at-risk is one transmitted from the browser to 1Password. For example, this may be if you're entering or updating a password. It appears your master password and your bank of stored passwords are not at-risk.