Passpack Blog » 1click login http://blog.passpack.com Passpack keeps your logins safe, organized and available 24/7. You can share passwords with your team in 100% privacy. Fri, 20 Aug 2010 16:17:36 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 FIXED: 1 Click Login Button http://blog.passpack.com/2008/10/reinstall-1click-login-button/ http://blog.passpack.com/2008/10/reinstall-1click-login-button/#comments Sat, 11 Oct 2008 11:19:36 +0000 Louise http://passpack.wordpress.com/?p=1456 We were just contacted by a research group formed by Ben Adida at Harvard University, Adam Barth at Berkeley University and Collin Jackson at Stanford University. They alerted us of a security issue concerning the Passpack It! button (aka 1Click Login bookmarklet). We fixed it immediately.

How the issue was discovered — The three researchers mentioned above are preparing an in-depth study on bookmarklets. The Passpack It! button is one of them. We were able to quickly fix this thanks to the open collaboration of the research group.

Technical description — When building 1 Click Login process, we noticed that some sites were arriving back to the server without the referring URL information. To avoid having to refuse 1 Click Login access, the button gathered the originating URL information (saved as an encrypted token) as well as the referring URL in the page header. In the event the referring URL was missing, the URL gathered by the button was used instead by the server in deciding which encrypted login information to reply with. The researchers therefore intentionally suppressed the referring URL header, and redefined a Javascript method in the URL collection process to manipulate the URL information collected by the button.

An example in Layman’s terms — Jack opens his Passpack account and turns on 1 Click Login. Jack starts browsing the internet and happens upon a malicious website built to fool him into pressing his Passpack It! button. Jack falls for it and presses his button. The malicious site then pretends to be, for example, delicious. If Jack has an entry saved in his pack for delicious, the site would be able to retrieve the login credentials for delicious.

The scope of the problem — The malicious site needs to include code written specifically for the Passpack 1 Click Login, generic code would not work. Additionally, Jack must be effectively fooled into clicking his button when visiting the site. This may be achieved by typical phishing techniques where the malicious site has copy-catted another well-known site. Jack must both have an entry for the copycatted site in his account and have 1 Click Login activated in that exact moment.

What we did to fix this — We now strictly enforce that server only responds to calls from the 1 Click Login button that are accompanied by a referring URL.

What it means for you – This will cause sites that repress the referring URL to not work with 1 Click Login.

Thanks Adam, Ben and Collin!

]]> http://blog.passpack.com/2008/10/reinstall-1click-login-button/feed/ 0