We were just contacted by a research group formed by Ben Adida at Harvard University, Adam Barth at Berkeley University and Collin Jackson at Stanford University. They alerted us of a security issue concerning the Passpack It! button (aka 1Click Login bookmarklet). We fixed it immediately.
How the issue was discovered — The three researchers mentioned above are preparing an in-depth study on bookmarklets. The Passpack It! button is one of them. We were able to quickly fix this thanks to the open collaboration of the research group.
An example in Layman’s terms — Jack opens his Passpack account and turns on 1 Click Login. Jack starts browsing the internet and happens upon a malicious website built to fool him into pressing his Passpack It! button. Jack falls for it and presses his button. The malicious site then pretends to be, for example, delicious. If Jack has an entry saved in his pack for delicious, the site would be able to retrieve the login credentials for delicious.
The scope of the problem — The malicious site needs to include code written specifically for the Passpack 1 Click Login, generic code would not work. Additionally, Jack must be effectively fooled into clicking his button when visiting the site. This may be achieved by typical phishing techniques where the malicious site has copy-catted another well-known site. Jack must both have an entry for the copycatted site in his account and have 1 Click Login activated in that exact moment.
What we did to fix this — We now strictly enforce that server only responds to calls from the 1 Click Login button that are accompanied by a referring URL.
What it means for you – This will cause sites that repress the referring URL to not work with 1 Click Login.
Thanks Adam, Ben and Collin!