[CVE-2014-2584] – 1Password Launching external apps automatically through use of iframe
- Affected Vendor: agilebits.com
- Affected Software: 1Password for iOS
- Affected Version: 4.x prior to 4.5.0
- Issue Type: Lack of user confirmation leading to execution of external app
- Release Date: April 23, 2014
- Discovered by: Guillaume Ross / @gepeto42
- CVE Identifier: CVE-2014-2584
- Issue Status: Vendor has published version 4.5 which corrects this issue by prompting the user before executing another application.
1Password is a password manager for iOS which includes a web browser. The browser has features such as automatic username and password completion. Some apps, such as Facetime, provide URL Scheme functionality that could reveal the user’s identity. Apple protects some of these built-in applications by prompting the user before launching the app. As this protection is built into Safari and not into Facetime itself, 3rd party apps that include a browser are often vulnerable to this, or more precisely, enable other vulnerabilities.
The 1Password browser in versions prior to 4.5.0 executed external URL Schemes automatically when they were placed in an inline frame. This could lead to issues identical to CVE-2013-6835. Applications should not trust the browser to prompt the user before triggering an action, however, as built-in apps like Facetime do so, browser vendors should include some protection. The same iframe code as for CVE-2013-6835 would trigger a Facetime-Voice call automatically, leaking the user’s “caller ID” information (phone number or registered email address).
See CWE-939 – Improper Authorization in Handler for Custom URL Scheme for more information.
A user browsing the web could click a malicious link or load a page containing a malicious link within an inline frame. The attacker can use this to trigger applications with URL Schemes that perform automatic actions, such as Facetime, and leverage those actions against the user.
Proof of Concept
<iframe src="facetime-audio://[email protected]" ></iframe>
- March 19 2014 – Vendor notified
- March 20 2014 – Vendor acknowledges vulnerability
- April 22 2014 – 1Password 4.5 for iOS is released and resolves the issue
- April 23 2014 – Vulnerability Disclosed
Here is how 1Password 4.5+ behaves when opening such links.