Passwords should be long enough, complex enough, and unique to each site. Unfortunately, our memory is limited and we cannot remember such passwords. This is where password manager come into play. The basis of password manager is that it centrally manage a large number of accounts / passwords and require a master password to access them. conversely, attackersI will have access to all accounts / passwords, if they can steal your master password. I found a serious problem with 1Password, one of the many password manager products. 1Password is one of the most popular password managers on the market, with over 100,000 corporate customers of various sizes. 1Password exchanged master passwords in plain text within the application, so it was very easy to steal it. This means that if I can invade your PC, I can steal your master password and sign in remotely. In this talk, I will show you how to steal information and other data with user privileges from application, and a demo video that actually collects the information needed to access the 1Password website. 1Password is just one example. If there are applications that exchange important information in plain text, attackers can steal your data in the same way as 1Password. I recommend that you understand this technique and be prepared for the dangers.
About Soya Aoyama
- Soya Aoyama is a cyber security researcher at Fujitsu System Integration Laboratories Limited. Soya has been working for Fujitsu for more than 20 years as a Windows software developer, and has been developing NDIS drivers, Bluetooth profiles, WinSock applications, and more. About seven years ago, Soya started security research, and mainly researches attacks using Windows dlls, and has talked at BSidesLV, GrrCON, ToorCon, DerbyCon, HackMiami, LeHack, BSidesSG and ROOTCON in the past. Soya is founder and organizer of BSides Tokyo, and hosted the first of BSides Tokyo in 2018.