RSS FeedBlogs

Unscrewing Security

Alec Muffett

RSS FeedSubscribe to this blog
About Author
Alec Muffett

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Rare OSX 1Password flaw exposes plaintext passwords, password history

Bug rapidly caught and fixed, but users should check their logfiles for sensitive data

Article comments

Sunday afternoon I was writing a CWUK posting using my Snow Leopard Macbook Air - plus Chrome, Safari, all the other usual suspects, as well as 1Password, a password-keysafe product from AgileBits.

It's not clear what happened next, but as I wrote in the subsequent bugreport:

...a few times now I have tried using the [Chrome] plugin to log in to sites where I have an account, only to have the plugin 'burp' with the message "Unknown Error". Mostly the plugin works, but two or three times it 'burped'.

Okay, I thought, that's just a boring bug... until I checked the syslog file for other reasons and found the attached logfile entries:

Sep 4 15:32:22 local-addr-70 1PasswordAgent[210]: -JSONRepresentation failed. Error is: JSON serialisation not supported for (null)

Sep 4 15:32:22 local-addr-70 1PasswordAgent[210]: Failed to create JSON: { fields = ( { designation = username; id = Email; name = Email; type = T; value = "alec.muffett"; }, { designation = password; id = Passwd; name = Passwd; type = P; value = XXXXXXXXXXXXXX; }, { id = PersistentCookie; name = PersistentCookie; type = C; value = "YYYY"; }, { id = signIn; name = signIn; type = I; value = "Sign in"; } ); htmlAction = ""; htmlID = "gaia_loginform"; htmlMethod = post; passwordHistory = ( { time = 00000000000; value = ZZZZZZZZZZZZZZ; } ); }

For those that don't read JSON I will summarise; some glitch in the configuration, code or environment surrounding the 1Password software agent caused it to report what it was doing - and at the time it was chewing on its password database. So what it did was to dump records from the database right into the system logfile - in fact not one record, but three, and the strings I've highlighted in the example record as XXXXXXXXXXXXXX and ZZZZZZZZZZZZZZ were filled with my Google Account password and its historical predecessor, respectively.

Leaking passwords in plaintext is (obviously) a bad idea; it has happened before - I've encountered Telnet and FTP daemons doing the same thing many years ago - but still it's bad, and slightly sloppy.

I mailed 1Password's support alias on Sunday at 16:38h and received a response from Dave Teare - company founder - about 2.5h later; he confirmed clearly and forthrightly that 1Password should never log plaintext password data, and that that aspect of the issue had now been fixed and rolled into an update (3.8.3) - available immediately. Two hours from report to public-fix struck me as pretty good. Kudos goes to Dave Teare and Jeffrey Goldberg at AgileBits for their rapid response and personal involvement.

Our subsequent e-mails focused upon trying to recreate the problem and we couldn't. We hypothesise that it was caused by some interaction between a recent Chrome update, a 1Password update, or perhaps having multiple browsers open in different states. As of writing there have been no other incidents reported, but it's not the sort of bug that will necessarily be spotted.

Frankly we don't know what caused it, but if you're a 1Password user on OSX then you probably want to update your client software and check your logs for information that you might not want to have lying around in plain text. A command like:

cd /var/log ; ( cat *.log ; bzcat *.log.*.bz2 ) | grep -i 1password | grep JSON

...will probably help diagnose whether you are so affected.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *