Hacker News new | past | comments | ask | show | jobs | submit login

Disclosure: I work for AgileBits, makers of 1Password.

For browser extensions, the URL constructor would be even easier: https://developer.mozilla.org/en-US/docs/Web/API/URL/URL (Yes, I know it says that IE doesn't support it, but IE doesn't have a proper extensions framework, so it's irrelevant to this topic.)

While you are here, can you confirm whether a similar regex vulnerability does not affect 1Password?

I had a quick look at the 1Password chrome extension source and it seems to me like they are using window.URL[0].

See this pastebin[1] for the function I believe is determining the url of the active tab and if it has a valid hostname.

There's also this one[2] that seems to be extracting the hostname of a given url also using the URL API.

Both these pastebins contain minimized code that I've cleaned up.

0: https://developer.mozilla.org/en-US/docs/Web/API/URL

1: http://pastebin.com/tWns7XmG

2: http://pastebin.com/PXS1iqsq

Not a dev on either product, but I use 1Password for my personal accounts, and a corporate LastPass for my work accounts. I do not believe that 1Password is as immediately vulnerable as LastPass.

LastPass (on Chrome) will auto-fill information on a detected site, which a malicious site can read immediately.

1Password (on Chromium nightly) requires me to hit the 1Password Mini button and select a site/account to log in with. If 1Password had a similar vulnerability, a malicious site as described would merely wind up showing me accounts for the wrong site in the dropdown. Clicking one could wind up submitting/leaking my credentials to the attacker, though.

1Password doesn't auto-fill, but you can press [Ctrl|CMD] + \ to fill in the password automatically based on the detected domain.

It does have an "open and fill" feature which autofills, but only immediately after opening the site by URL first. (So the attacker's URL would have to be saved in 1Password along side your credentials.)

This is actually how I use 1Password most often. Global hotkey of cmd+opt+\, type a site name, hit enter: 1Password opens the site and logs in.

If they're not using regex, they can't be affected by it anyways


> You downvoters can go fuck yourselves.

Please don't do this on Hacker News.

I save downvotes for truly awful comments made in a blaming way. If a comment I've made is non-blaming, yet addresses the more uncomfortable bits of reality, I fully expect to be downvoted. In this case, within several minutes I was at -2, even when there was no "fuck yourselves" in the post. Interestingly enough, when I added it, there appeared to be more commenting occurring.

While I would agree that this place would be better off without judgment, and harsh judgment as I've shown here, the reality is that we all share this place equally with others who do not stop and consider their actions as affecting others thought processes in a negative way. I put this on here to illustrate that point in a non-obvious way, and in a way people CAN understand: anger. It's not the only way of course, but it does get the bug into people's brains quite well.

I appreciate your comment and intent behind it.

Interesting view on the matter, even if I don't quite agree with your prev comment (too tired now to argue why, sorry).

I very much agree that downvoting without comment (indeed except for the truly awful ones that would just draw needless noise because of it) is an anti-pattern. But I am occasionally guilty of it myself as well, partly because writing a reply to a not-quite-awful comment costs me a lot of time (even if it's a short cmt).

The greying-out of downvoted comments doesn't help with the perception of receiving a downvote without comment either (makes it feel more harsh, IMO). I'd prefer showing the counts again, actually.

It happens often enough that a comment gets downvoted initially, and then gets sympathy upvotes from people who don't find it bad enough to be voted down. It may help to wait a few more minutes.

Here's some context: I am a former LastPass user for many years and current (concerned) 1Password user wondering if I should be changing all of my passwords again.

My goal was to settle concern for myself and other 1Password users. That's why I wrote whether a similar vulnerability "does not affect 1Password" instead of "does". My apologies if this was unclear.

Why did you switch from LastPass to 1Password?

I recently started using LastPass after years of reusing the same uncrackable password: !p@ssword123

You didn't ask me, but, several things:

- This is the second serious security incident with them. Nobody's immune to bugs, but I haven't seen a similar history with AgileBits.

- LastPass has, IMHO, terrible UI/UX. Things don't work consistently, there are weird, unexpected pauses that look like malfunctions until something visible happens; it took me a comparatively long time to figure out how to map common actions to the gestures that perform them; and finally, this is way down the priority list, but I find it generally kind of ugly. I suspect some of these complaints are partially linked to the next point.

- Lastpass is more trouble than it is worth in Safari/Mac.

I've used 1Password personally since 2008-ish, and think I've had exactly one nontrivial problem with it in that time, which was my fault. (There was some upgrade-path weirdness with the iOS version several years ago, and I left a device unused long enough that it ended up with orphaned data I couldn't sync. I forget the details of what exactly happened.)

1Password Teams didn't exist when my company started using Lastpass, but I'm hoping to get switching onto the low-priority project list.

> - Lastpass is more trouble than it is worth in Safari/Mac.

Can't agree with this more. I've had so many issues with LastPass staying logged in one browser across sessions, even though the preferences are set to logout after short inactivity windows and on browser quit. LastPass seemed to lose its preferences like this multiple times, and it made me uncomfortable from a security perspective to not know for sure when my sessions would actually end.

Besides that it's mostly UX issues for me, similar to what you've described.

I also prefer 1Password's pronounceable random password generator vs LastPass's generator (obligatory xkcd https://xkcd.com/936/).

Another really cool trick it plays is that it enables Secure Input, as it should, but then never disables it. So it breaks 3rd party tools that expand shortcuts, automate UI actions, etc. like TextExpander, which I use a lot.

I've had this trouble in Chrome quite a bit too. For example, system level text expansions break in the Chrome omnibox. I think that's independent of LastPass, but I could be wrong.

I'm actually talking about sort of the reverse. Secure Input is a system-level thing; it disables input capture via the accessibility API (which things like TextExpander use), which effects everything on the machine. That is what you want; when typing a password, there is no good reason for other code to be reading what you (or LastPass) is typing. You just also want it to be turned back off when you're done.

But after the first use of the LastPass Safari extension, TextExpander (or KeyboardMaestro, or a bunch of other tools) won't work anywhere until a after reboot or some other method of disabling SI.

> ...I'm hoping to get switching onto the low-priority project list.

You should maybe try and get it on the high priority list. On August 1st the Teams pro plan will increase from $4/user/mo. (introductory price) to $12/user/mo. for new signups: https://1password.com/teams/pricing/

Just got an email from our Security team saying we should stop using lastpass.

I've been using LastPass for years now, but I'm starting to explore other options.

For me, the biggest pain point is the interface. The automatic form filling rarely works as it should; I click the LastPass icon in the username field, select the site, and it only populates the username (even though there is an input with type="password" right below it).

I then have to: 1) Press ALT+W to bring up the LastPass site search 2) Type in the domain name 3) Find the correct entry, and then click "Show Password" 4) Use my mouse to highlight the password and copy it (there is no quick way to copy the password) 5) Close the tab, go back to the original site, put my cursor in the password field and paste it

And then I have to worry about what password I may or may not have lingering in my clipboard.

If anyone has a better workflow please let me know. I'm envious when I watch coworkers use 1Password to populate a form in two steps using hotkeys.

Using Chrome on Windows, I can right-click anywhere in the browser window, select "LastPass", select "Copy Password", and click the domain/user. (There's usually only one listed, unless I have multiple accounts on the site.)

Then just click the password field and Ctrl-V, of course.

If you're concerned about the clipboard, get in the habit of typing Shift-LeftArrow Ctrl-C after entering the password, to quickly replace your clipboard with a single character.

> And then I have to worry about what password I may or may not have lingering in my clipboard.

I'm not sure how LastPass does it, but 1Password does clear the clipboard after a short period of time (configurable, I think 90 seconds by default). I use clipboard logging via Alfred, and can confirm that however they clear the clipboard works to keep them out of its log.

I use 1Password like that. I'm starting to explore other options because I'd much rather pay for open source software. Dropbox and 1Password are the only proprietary software I really depend on... cause it's 2016 and everyone else got the memo, even Microsoft is changing.

What browser are you using? Lastpass usually autofills for me, and if it doesn't, there's a menu widget in both the password field and the plugin menu that goes right to the domain, and has a copy password to clipboard option.

Two things - 1Password has a smoother experience on iOS, and I prefer the one time purchase model vs LastPass is only available as a subscription.

(Without a paid subscription, bookmarklets on mobile still work for free of course. But I found that login flow so cumbersome.)

I see no need to read that into it. It's a reasonable question. Sounds like they just want to know if they, as a 1Password customer, could be affected. A little misguided, but a reasonable question.

Or maybe he's just curious if this type of url regex fail is more widespread among similar software.

While this is something I'm generally curious of, especially with regex vulnerabilities being such a hot topic in software right now. See, for example, the regex issue last week that caused Stack Overflow to go down [0]. That aside, my concern stems solely from being a 1Password customer.

[0]: Stack Overflow Outage Postmortem https://news.ycombinator.com/item?id=12131909

Then say that as a hypothesis and stop asking leading questions (which are blaming in nature) from people who make it their business.

I was about to downvote after reading your edit, but part of me likes that attitude. That you're so passionate about your objection actually helped me arrive at the same conclusion. That and my own thought: Why would a developer come on here to suggest a fix if they weren't aware of this potential security flaw?

There are appropriate channels to ask questions like that and appropriate times to downvote. But, hey, I'm not here to offend the hivemind. Please have mercy ;)

Why not take a look at the code injected by 1Password's browser extension and find out for yourself whether it handles URLs safely? That shouldn't be hard to do, and it's a lot healthier for the community than discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots.

I'm sorry, but I don't see how asking an employee of the company that makes the product that I use every day is "discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots".

I think an official word holds more clout and is more valuable than any one person confirming for themselves in one version of one browser on one version of one OS.

I did speak rather harshly in my prior comment, and for that I apologize. Worse, I did a very poor job of expressing the concern that motivated me to respond. But I think it's still fair to ask whether your initial comment has value.

I understand that, as a user of 1Password's browser extension(s), you may well feel some concern that a similar vulnerability exists, and I don't think it's unreasonable to want reassurance on that score.

But I think your phrasing and framing of the question feels a lot more like a "gotcha" than anything else, and it's that feeling which motivated my prior comment - I'm not an AgileBits dev myself, but if I were, I'd feel strongly inclined to shy away from that question rather than trying to frame an answer that doesn't leave me open to a potentially hostile followup.

I understand a concern with my phrasing -- to be honest, I didn't put much thought into it as far as considering multiple interpretations.

I have sent a message to 1Password through the official customer support channel to ask the same question posed here. I'll update once they reply.

Update: Here's the response from earlier this morning:

> Thank you for taking the time to write to us here at AgileBits. The current version of the 1Password extension does not use regex to parse URLs for this exact reason. We don't autofill either, which also helps avoid issues like the one you mentioned.

Fwiw, his question did not sound at all like that to me. Your reaction feels like unfair personal bias. Not trying to start a fight but you seem openminded enough to hear it so figured Id let you know

Not at all. But I would be interested to hear what sort of bias you saw in my prior comment. I mean, I don't think you're wrong, but beyond the downvotes, I only have my own perspective to go on here, and I'd appreciate the benefit of having yours as well.

Sure. I took the original question at face value: It was a user who was concerned and wanted reassurance. Imo, it's a big leap to read it instead as a setup for a hostile "gotcha" style followup. I mean, is it possible? Sure. But there's no evidence for that interpretation. And to take a stats view, the bayesian priors aren't there (ie, most people aren't conniving snakes). Given that, it seemed to me that you were bringing your own kind of evidence to the table -- perhaps a personal experience in which you'd been similarly setup and mistreated.

Not the poster you replied to, but there were 2 types of bias I saw:

1: Defensiveness. It seemed more like an honest question than a pot shot. You seemed to read into it something like "Aha! How about your software fool!?!"

That said, if it were a reporter asking the question, then I would see it as a gotcha, because the use of the word confirm is used as a setup sometimes.

2: Tech bias. Not everyone on here is a Dev, and even though I know a fair bit about programming it would not be a trivial task to do what is simple for you regarding checking out code injections and what they do re a security standpoint. That would probably be a long afternoon of googling for me :)

Just my view...

Also, just because we're on Hacker News, it doesn't mean every reader is equipped to audit code for security vulnerabilities.

Presumably that's the job of a professional security developer that might reasonably be expected to have checked their own similar product for this vulnerability...

Fair. I would, though, expect someone whose HN profile identifies him as an experienced full-stack engineer to be up to the challenge of spotting something as basic as an extension injecting code into untrusted DOM and trusting the results that code gives back.

Chill. There's no need to bash other people's expertise. We get it, you're an expert in the domain, but this is adding nothing to the conversation.

URL constructor looks great! Just wish it was stable. I normally don't have to worry about IE very much anymore anyways.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact