|
|
|
|
|
|
by NicolaiS
1247 days ago
|
|
|
You are misunderstanding the attack. The attacks requirement is: replace two encrypted files (e.g. by gaining access to someone's dropbox that contains the synced db), wait for them to leak "secretA" on "siteB" because `pass` doesn't securely bind secret and sites together.
The attack is very realistic and high impact (but hard to perform). |
|
|
One of the files in the example is not a pass encrypted file but an ssh private key ("id_ed25519"). ssh private keys are either unencrypted or encrypted with a passphrase (but not via GPG in any case, and GPG of course is what pass uses).
The only way the outlined attack would be better than just uploading via curl is if pass could somehow enable the attacker to get a decrypted ssh private key. But I can't imagine why pass would be capable of doing that.