Forum Discussion
New exploit
I just read about this exploit which seems like it could trick 1Password due to the url trick:
https://x.com/nicksdjohnson/status/1912439023982834120?s=46&t=AJ8QxRZyw0qhDN040YYHYg
Be careful everybody.
6 Replies
- AJCxZ0Bronze Expert
This describes a clever exploit which depends on user content being hosted under the same domain (google.com) as the company's authentication infrastructure and communications. Other platform providers which do the same or very similar things have similar spoofing problems.
How might something similar exploit 1Password users? Obviously phishing email could be sent as something@1password.com which passes any filters, but there is no equivalent of sites.1password.com on which to host a phishing page through which to exploit 1Password's authentication infrastructure... or is there? It looks like static nonces are used for `script-src` and `base-uri` is missing, so ther may be XSS options.
You might be better off buying 1passsword.com $3,488: it's cheaper than 1password.ai.,though not as cheap as 1passwords.com.