New exploit

Question

I just read about this exploit which seems like it could trick 1Password due to the url trick:

https://x.com/nicksdjohnson/status/1912439023982834120?s=46&t=AJ8QxRZyw0qhDN040YYHYg

Be careful everybody.

ajcxz0 · Answer

No apology needed, danito​, and thanks for vouching for my fleshy mortality, 1P_Blake​. This is far from the first time I've been mistaken for a bot, dating back long before the current generation of capable LLMs.As for my possible misunderstanding or misrepresentation in an attempt to summarise the details relevant to 1Password, I'd be glad to have it corrected.The three "s"s are used in a classic example of a typo squatting domain (with each domain I mentioned linked to the registrar currently sitting on it), since a sophisticated phish which does not require user-created content in the same legitimate domain could use such a domain. As much as 1Password provides strong protection against credential harvesting, this remains a productive method.Beep, boop, and - if I may be so bold - beep.

ajcxz0 · Answer

This describes a clever exploit which depends on user content being hosted under the same domain (google.com) as the company's authentication infrastructure and communications. Other platform providers which do the same or very similar things have similar spoofing problems.

How might something similar exploit 1Password users? Obviously phishing email could be sent as something@1password.com which passes any filters, but there is no equivalent of sites.1password.com on which to host a phishing page through which to exploit 1Password's authentication infrastructure... or is there? It looks like static nonces are used for `script-src` and `base-uri` is missing, so ther may be XSS options.

You might be better off buying 1passsword.com $3,488: it's cheaper than 1password.ai.,though not as cheap as 1passwords.com.

danito · Answer

This is an AI scam post (which hilariously also misunderstood the attack vector of my original post).Is nobody removing stuff like this?

1p_blake · Answer

danito​ Just to clarify real quick, AJCxZ0​ is very much a real person, not AI. 😅

danito · Answer

Really? 😂 In that case I am sorry, of course. The wording seemed off to me and they posted a link with 3 "s" in it. So I assumed it was a scam. If that is not the case, I apologize, of course.I also didn't mean the exploit could target 1Password users in the sense that it could imitate 1Password but in the sense that it could trick the autofill feature which I (and I assume most people) also&nbsp;use as a URL checker.

Forum Discussion

New exploit

6 Replies

Recent Discussions

Lounge Makes Community Confusing

Using Claude Desktop Model Context Protocols

Stats on Community Activity

Did the 1Password community change?

1Password Switch page not working