It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
New exploit
I just read about this exploit which seems like it could trick 1Password due to the url trick: https://x.com/nicksdjohnson/status/1912439023982834120?s=46&t=AJ8QxRZyw0qhDN040YYHYg Be careful everyb...
This describes a clever exploit which depends on user content being hosted under the same domain (google.com) as the company's authentication infrastructure and communications. Other platform providers which do the same or very similar things have similar spoofing problems.
How might something similar exploit 1Password users? Obviously phishing email could be sent as something@1password.com which passes any filters, but there is no equivalent of sites.1password.com on which to host a phishing page through which to exploit 1Password's authentication infrastructure... or is there? It looks like static nonces are used for `script-src` and `base-uri` is missing, so ther may be XSS options.
You might be better off buying 1passsword.com $3,488: it's cheaper than 1password.ai.,though not as cheap as 1passwords.com.
This is an AI scam post (which hilariously also misunderstood the attack vector of my original post).
Is nobody removing stuff like this?
- 1P_Blake
Community Manager
Really? 😂 In that case I am sorry, of course. The wording seemed off to me and they posted a link with 3 "s" in it. So I assumed it was a scam. If that is not the case, I apologize, of course.
I also didn't mean the exploit could target 1Password users in the sense that it could imitate 1Password but in the sense that it could trick the autofill feature which I (and I assume most people) also use as a URL checker.
No apology needed, danito, and thanks for vouching for my fleshy mortality, 1P_Blake. This is far from the first time I've been mistaken for a bot, dating back long before the current generation of capable LLMs.
As for my possible misunderstanding or misrepresentation in an attempt to summarise the details relevant to 1Password, I'd be glad to have it corrected.
The three "s"s are used in a classic example of a typo squatting domain (with each domain I mentioned linked to the registrar currently sitting on it), since a sophisticated phish which does not require user-created content in the same legitimate domain could use such a domain. As much as 1Password provides strong protection against credential harvesting, this remains a productive method.
Beep, boop, and - if I may be so bold - beep.
