![]() ![]() He and his team have been excellent at providing us with details and information upfront. Since November 2014, we’ve been engaged in discussion with Li about what, if anything, we can do about such attacks. ![]() A recent paper, “ Unauthorized Cross-App Resource Access on MAC OS X and iOS” (PDF), by Luyi Xing (Li) and his colleagues shows just how difficult securing such communication can be. For 1Password, the difficulty is in fully authenticating the communication between the 1Password browser extension and 1Password mini however, this problem is not unique to 1Password. The difficulty of securing inter-process communication on the operating system is a problem system-wide. But roughly speaking, such malware can do no more (and actually considerably less) than what a malicious browser extension could do in your browser. The fact of the matter is that specialized malware can capture some of the information sent by the 1Password browser extension and 1Password mini on the Mac under certain circumstances. I should point out that even in the worst case, the attack described does not get at data you have stored in 1Password. ![]() Recently, security researcher Luyi Xing of Indiana University at Bloomington and his co-authors released the details of their research revealing security vulnerabilities in Apple’s Mac OS X and iOS that allow “a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.” It has since been described in the technology press, including an article in the Register with a somewhat hyperbolic title. Wherein we discuss how 1Password protects inter-process communication in the face of cross-app resource access (XARA) attacks. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |