SIK-2016-038


Title:

Subdomain Password Leakage in 1Password Internal Browser

Report ID

SIK-2016-038

Summary:

  • Vendor: AgileBits
  • Product: 1Password – Password Manager
  • Affected Version: 6.3.3
  • Severity: medium
  • Short summary:

The Android app “1Password” in version 6.3.3 does not distinguish subdomains when inserting passwords into web forms in its internal browser. If an attacker is able to register a subdomain within the same domain as the target, he can obtain the password of the target.

Details:

Assume that the user has stored a password for “domain1.wordpress.org”. The attacker registers “domain2.wordpress.org”, which is easily possible, because the centrally-hosted WordPress service gives out free subdomains for new blogs. Assume further that the user opens “domain2.wordpress.org” in the password manager’s internal web browser. The password manager will now assume that the credentials stored for “domain1.wordpress.org” are also applicable to “domain2.wordpress.org”, because it only compares “wordpress.org” as the URL, not the subdomains. As a consequence, the wrong credentials are filled into the web form of the attacker-controlled domain “domain2.wordpress.org”. The attacker-controlled website can then leak these credentials to the attacker.

Technical details: The function “showLogins” in class com.agilebits.onepassword.activity.AutologinActivity. The regular expression used for splitting the URL is faulty:

Pattern.compile(“([\w\d]\.)?(.\..*)”);

Splitting URLs with regular expressions should be done with extreme caution to avoid unintended consequences such as the one described in this advisory.

The issue allows an attacker to extract credentials stored in the password manager for other domains as long as he is able to register a subdomain under the same domain as the target for which he wants to obtain the credentials. Consequently, restricted domains for which no new subdomains can be obtained are safe with regard to this attack. On the other hand, popular domains such as wordpress.org or tumblr.com as well as many free website hosting providers that give out subdomains are affected. For all these domains, credentials stored in the password manager are at risk.

Workaround

Users should not store credentials for websites that allow custom subdomains in the password manager until the issue has been resolved. Alternatively, users should refrain from using the app’s internal browser and instead use the operating system’s browser and the password manager’s keyboard for filling in the credentials.

Suggested Mitigation

Make sure to compare the complete domain before filling credentials into web forms or presenting credentials that can be filled in to the user. Comparing only top-level domains is insufficient.

Timeline

  • 2016-09-01 Vulnerability Reported.
  • 2016-09-27 Fixed