Itโs Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
New exploit
I just read about this exploit which seems like it could trick 1Password due to the url trick: https://x.com/nicksdjohnson/status/1912439023982834120?s=46&t=AJ8QxRZyw0qhDN040YYHYg Be careful everyb...
This describes a clever exploit which depends on user content being hosted under the same domain (google.com) as the company's authentication infrastructure and communications. Other platform providers which do the same or very similar things have similar spoofing problems.
How might something similar exploit 1Password users? Obviously phishing email could be sent as something@1password.com which passes any filters, but there is no equivalent of sites.1password.com on which to host a phishing page through which to exploit 1Password's authentication infrastructure... or is there? It looks like static nonces are used for `script-src` and `base-uri` is missing, so ther may be XSS options.
You might be better off buying 1passsword.com $3,488: it's cheaper than 1password.ai.,though not as cheap as 1passwords.com.
This is an AI scam post (which hilariously also misunderstood the attack vector of my original post).
Is nobody removing stuff like this?- 1P_Blake
Community Manager
Really? ๐ In that case I am sorry, of course. The wording seemed off to me and they posted a link with 3 "s" in it. So I assumed it was a scam. If that is not the case, I apologize, of course.
I also didn't mean the exploit could target 1Password users in the sense that it could imitate 1Password but in the sense that it could trick the autofill feature which I (and I assume most people) also use as a URL checker.
