![]() ![]() Still, passcodes do matter so please remember that a good device passcode is a good idea. What is worrisome here is that exactly the same people (co-workers, family members) who have the easiest access to your iOS devices are very likely to have some account on the same computer that you have used. I have not tested this with iTunes on Microsoft operating systems. What is worse is that Bob’s account on the computer can also be a guest account, and he will still have access.Īll of the testing I have done has been with iTunes 10.6.1 on Mac OS X 10.7.3 (Lion). That is, if Alice and Bob both have user accounts on the same Mac, and Alice has at one point entered the her passcode on her iPad to allow syncing, then Bob will be able to gain access to most of Alice’s iPad simply by using iTunes in his account on the Mac. ![]() iTunes will automatically unlock the device for any user account on the same computer that the device has previously been unlocked on. There is, unfortunately, one further complication. This is presumably why initial reports of this issue claimed that no device passcode was necessary to extract the files containing the OAuth tokens. So once you have unlocked your iPhone for a particular computer, when you plug it in later, you do not need to unlock it for the file system on the device to bevisible to tools like iExporer. After that first connection, the computer will store some keys that will allow it to unlock the iOS device for future connections. When an iOS device is connected to a computer that it hasn’t connected to previously, the user will be prompted to enter the passcode on the iOS device. Appendix: When is a passcode required for this attack? Please see “ 1Password 3.6.5 for iOS is out with PBKDF2 goodness!” for details. The changes coming in 3.6.5 are all about security and bug fixes. There are developments, but nothing I am even willing to hint at just yet. At this point, there is nothing that I’m in a position to say beyond what we’ve said earlier in “ Dropbox Terms“. Alternatives to DropboxĮvery time there is a security issue with Dropbox, people rightfully suggest that we offer alternative syncing mechanisms. After that you will need to relink the computer or device to your Dropbox account using your Dropbox username and password. If you suspect that an OAuth token has been stolen, you can unlink the computer or device. ![]() To manage your Dropbox devices, log in to your Dropbox account with a web browser, and under your account name, go to Settings and then “My Computers”. However, if other apps that use Dropbox have the same problem (and it looks pretty common), then OAuth tokens can be copied from those apps as well. In 1Password 3.6.5, which we submitted to Apple at the beginning of the week, we store OAuth tokens securely in the iOS keychain, where they are properly encrypted and cannot be copied to other devices. ![]() Of course, any 1Password data that an attacker fetches from your Dropbox account is still encrypted by 1Password. These tokens allow quick connection to Dropbox (Facebook and other services also use OAuth). We have been extremely careful in how we store your Dropbox username and password for automatic syncing, but like many others, we didn’t take the appropriate precautions when it came to OAuth tokens. In any case it is important to protect your iPhone, iPad, or iPod Touch protected with a good passcode. It appears that if the device has previously been synced with the computer the passcode isn’t required. It is not entirely clear at the moment under what circumstances an attacker will also need the device passcode. We can’t predict how long Apple’s approval process will take, but the update should be available soon, if it isn’t already by the time you read this.īecause of this bug, someone who gains physical access to your device may be able to copy authentication tokens off of it, then install those tokens on their own device to access your Dropbox data. This will be a free update for all owners of 1Password for iPhone, 1Password for iPad, and 1Password Pro (for iPhone and iPad). 1Password 3.6.5, which was submitted to Apple several days ago, fixes this. A number of iOS apps, including 1Password, have a security problem in how they handle OAuth tokens. ![]()
0 Comments
Leave a Reply. |