[s800]

At least on OSX 10.11 (not sure about others), you can't sniff loopback as a normal user.

So, if you could sniff this, you'd have elevated privs anyway, which means you could read the keyboard device, memory, etc.

Not ideal, but not sure it's a glaring hole. IMHO. I'd love to hear other thoughts on how to exploit this / how I'm underestimating this hole.

[tptacek]

There is no modern OS on which you can sniff loopback without privileges.

[cortesoft]

Right, but it looks like the process listening on the port is running as the user.... what is to stop another process running as the same user from killing that process and then binding to the same port?

[tptacek]

Nothing, but if you own the user's account, you also have their /Library directory to play with.

[richard_todd]

Right, if you can watch loopback as a normal user, then the biggest problem is with machine configuration.

After that, assuming the transmission has to happen, it's just a matter of how difficult you want to make it for root to see the passwords. Since you have to arrive at plaintext in the browser itself, everything a determined root needs to decrypt the transmission will be present on the machine anyway. Still, even a simple ROT-13 to keep an honest root from accidentally seeing the password would be welcome.

[tonywebster]

The author used `tcpdump -i lo0 -s 65535 -w info.pcap` which, as a non-root user without sudo, successfully captures loopback traffic in OS X 10.11.3.

I just tried it, and with Chrome and 1Password, I was able to see my auto-filled bank password in the pcap. So, I presume any process on my system, without root privileges, would be able to sniff loopback.

I don't see why 1Password wouldn't use TLS here. This is not good.

[tptacek]

Your system is misconfigured.

    > $ tcpdump -i lo0 -s 65535 -w info.pcap                                                 
    tcpdump: lo0: You don't have permission to capture on that device
    ((cannot open BPF device) /dev/bpf0: Permission denied)

[eclipxe]

I'm on OS X 10.11.3:

tcpdump -i lo0 -s 65535 -w info.pcap tcpdump: lo0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)

[tonywebster]

This is a fresh OS X install on a test machine :/

[tptacek]

I don't know what to tell you. Normal users can't tcpdump loopback on OSX, or anywhere else.

    > $ ls -l /dev/bpf*                                                                      
    crw-------  1 root  wheel   23,   0 Feb 29 07:59 /dev/bpf0
    crw-------  1 root  wheel   23,   1 Feb 29 07:59 /dev/bpf1
    crw-------  1 root  wheel   23,   2 Mar  2 11:11 /dev/bpf2
    crw-------  1 root  wheel   23,   3 Mar  2 10:07 /dev/bpf3
    crw-------  1 root  wheel   23,   4 Feb 29 08:11 /dev/bpf4

[tshtf]

Works for me too on OS X. sudo is not needed to run tcpdump for any interfaces.

$ ls -l /dev/bpf*

crw-rw---- 1 root access_bpf 23, 0 Mar 1 09:18 /dev/bpf0

Edit: Wireshark is installed

[tptacek]

Did you install Wireshark? Did you let it reconfigure your system? Is your current user in the "access_bpf" group?

Later

Yes. Your system is misconfigured. Don't let Wireshark do that.

[pvg]

It looks like Wireshark will happily keep your system permanently misconfigured. To fix it, disable

/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

This actually seems like a much crummier thing than the 1Password non-thing.

[msbarnett]

    $ tcpdump -i lo0 -s 65535 -w info.pcap 
    tcpdump: lo0: You don't have permission to capture on that     device
    ((cannot open BPF device) /dev/bpf0: Permission denied)

Looks like you're logged in on a superuser account or have otherwise somehow disable some security settings.

[yborg]

I also can't access loopback on 10.11.3, I get this exact error. And I'm running as an Administrator account.

[msbarnett]

Yeah, it's that they installed Wireshark, and gave it privileges to chown the loopback interfaces.

edit: Irony here is that Wireshark is doing something far more dangerous than 1password.

[jlgaddis]

It's either a) change the group on the /dev/bpf entries and add your user to that group or b) run Wireshark as root.

[msbarnett]

b) would in general be a lot safer, in that you're elevating one process rather than lowering a privileged interface so that every process you run can sniff it.

[lttlrck]

On Linux you can give an executable admin access to network devices with setcap which narrows it down further. Is the same possible on OS X?

Edit. Actually this is worse than running as root isn't it!