This Week In Security: 1Password, Polyglots, And Roundcube

This week we got news of a security incident at 1Password, and we’re certain we aren’t the only ones hoping it’s not a repeat of what happened at LastPass. 1Password has released a PDF report on the incident, and while there are a few potentially worrying details, put into context it doesn’t look too bad.

The first sign that something might be amiss was an email from Okta on September 29th — a report of the current list of account administrators. Okta provides authentication and Single Sign-On (SSO) capabilities, and 1Password uses those services to manage user accounts and authentication. The fact that this report was generated without anyone from 1Password requesting it was a sign of potential problems.

And here’s the point where a 1Password employee was paying attention and saved the day, by alerting the security team to the unrequested report. That employee had been working with Okta support, and sent a browser session snapshot for Okta to troubleshoot. That data includes session cookies, and it was determined that someone unauthorized managed to access the snapshot and hijack the session, Firesheep style.

Okta logs seemed to indicate that the snapshot hadn’t been accessed, and there weren’t any records of other Okta customers being breached in this way. This pointed at the employee laptop. The report states that it has been taken offline, which is good. Any time you suspect malicious action on a company machine, the right answer is power it off right away, and start the investigation.

And here’s the one part of the story that gives some pause. Someone from 1Password responded to the possible incident by scanning the laptop with the free edition of Malwarebytes. Now don’t get us wrong, Malwarebytes is a great product for finding and cleaning the sort of garden-variety malware we tend to find on family members’ computers. The on-demand scanning of Malwarebytes free just isn’t designed for detecting bespoke malicious tools like a password management company should expect to be faced with.

But that turns out to be a bit of a moot point, as the real root cause was a compromised account in the Okta customer support system, as revealed on the 20th. The Okta report talks about stolen credentials, which raises a real question about why Okta support accounts aren’t all using two-factor authentication.

Continue reading “This Week In Security: 1Password, Polyglots, And Roundcube”

A left-hand side unit of a split keyboard. The keys are black with RGB lighting and the key legends are displayed on small OLED screens in each key.

Poly Keyboard Has Screens In Every Key

Aspiring polyglots can be stymied by differing keyboard layouts and character sets when switching between languages. [Thomas Pollak]’s Poly Keyboard circumvents this problem by putting a screen in every key of the keyboard.

In his extensive build logs, [Pollak] details the different challenges he’s faced while bringing this amazing keyboard to life. For example, the OLED screens need glyph rendering to handle the legends on the keys. Since the goal is true universal language support, he used the Adafruit-GFX Library as a beginning and was able to extend support to Japanese, Korean, and Arabic so far in his custom fork of QMK.

The attention to detail on this build is really impressive. Beside the dedication to full glyph support, [Pollak] has measured the amount of extra force the flex cables from the OLEDs add to the actuation of the keyswitches. For the Gateron yellow switch he tested, the difference was about 62.2 g versus the initial 49.7 g.

In case you’re thinking you’ve seen other screen keyboard projects, [Pollak] includes a roundup of similar projects in his logs as well. This isn’t the first keyboard we’ve seen here at Hackaday with an OLED on top of a keyswitch, although [Voidstar Lab]’s MiRage only has three screen keys that were removed in a later iteration. If you’d like a more conventional fixed display in your keyboard, check out [Peng Zhihui]’s modular board with an e-ink display and haptic feedback knob.

Continue reading “Poly Keyboard Has Screens In Every Key”

Shakespeare In A Zip In A RAR, Hidden In An Image On Twitter

Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program. If you did, though, you’d wind up with a bunch of RAR files that you could unrar and get the complete works of the Immortal Bard in a single Tweet. You can also find the source code — where else — on Twitter as another image.

What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.

The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.

Continue reading “Shakespeare In A Zip In A RAR, Hidden In An Image On Twitter”

NES ZIP Polyglot shown in NES emulator

This NES ROM Is A ZIP Of Its Source

Polyglots, in computing terms, are files have multiple valid meanings. We’ve seen some amazing examples of polyglot files in releases of The International Journal of PoC||GTFO. One example: a PDF that is also a ZIP, HTML file, and BPG image.

[Vi Grey] was inspired by PoC||GTFO’s release of a PDF/ZIP/NES ROM hybrid file for issue 0x14. Using a different method, [Vi] created a file which is both an NES ROM and ZIP, where the full contents of the ZIP are stored in the NES ROM.

When PoC||GTFO created their NES ROM polyglot, they stuck most the information outside the bounds of the NES ROM. While the file is valid, you’d lose the ZIP archive if it was burnt to a cartridge.

[Vi]’s polyglot is different. Rip it from a real NES cartridge and you get a ZIP file. Unzip it, and you get the source. Compile that source, and you get a valid ZIP file containing the source. Burn that to a cartridge and… hopefully you grok the recursion at this point.

The source and scripts to mangle the polyglot together are up on Github.