We were just contacted by a research group formed by Ben Adida at Harvard University, Adam Barth at Berkeley University and Collin Jackson at Stanford University. They alerted us of a security issue concerning the Passpack It! button (aka 1Click Login bookmarklet). We fixed it immediately.
How the issue was discovered — The three researchers mentioned above are preparing an in-depth study on bookmarklets. The Passpack It! button is one of them. We were able to quickly fix this thanks to the open collaboration of the research group.
Technical description — When building 1 Click Login process, we noticed that some sites were arriving back to the server without the referring URL information. To avoid having to refuse 1 Click Login access, the button gathered the originating URL information (saved as an encrypted token) as well as the referring URL in the page header. In the event the referring URL was missing, the URL gathered by the button was used instead by the server in deciding which encrypted login information to reply with. The researchers therefore intentionally suppressed the referring URL header, and redefined a Javascript method in the URL collection process to manipulate the URL information collected by the button.
An example in Layman’s terms — Jack opens his Passpack account and turns on 1 Click Login. Jack starts browsing the internet and happens upon a malicious website built to fool him into pressing his Passpack It! button. Jack falls for it and presses his button. The malicious site then pretends to be, for example, delicious. If Jack has an entry saved in his pack for delicious, the site would be able to retrieve the login credentials for delicious.
The scope of the problem — The malicious site needs to include code written specifically for the Passpack 1 Click Login, generic code would not work. Additionally, Jack must be effectively fooled into clicking his button when visiting the site. This may be achieved by typical phishing techniques where the malicious site has copy-catted another well-known site. Jack must both have an entry for the copycatted site in his account and have 1 Click Login activated in that exact moment.
What we did to fix this — We now strictly enforce that server only responds to calls from the 1 Click Login button that are accompanied by a referring URL.
What it means for you – This will cause sites that repress the referring URL to not work with 1 Click Login.
Thanks Adam, Ben and Collin!
6 Comments
Will we get any info on what the issue was?
can you give some more details on this issue? Frankly, this is the #1 concern I have with online password services and I would like to become a bit more educated about this “enemy”. Saying: “we had a problem, but don’t worry about it” is not very reassuring!
Confusing! All the unwanted features make me dizzy. Passpack should focus on the core and make it work for all sites, not chasing the bells & whistles. I’m getting tired by your cluttered screen.
Who is Adam, Ben and Collin?
Are they part of the Passpack team?
Ignore my last..
I have read a second time!!
@Johannes, @erik
I have updated the post. Please let me know if you need more information – I hope it’s clear.
@May
Sorry you feel that way. You mentioned a cluttered screen – can you let me know exactly which screen (some, all, etc) that you have in mind? If you prefer, you may also email me with details at tara@passpack.com.
Thank you – this type of feedback really helps us stay on track with your expectations.