We were just contacted by a research group formed by Ben Adida at Harvard University, Adam Barth at Berkeley University and Collin Jackson at Stanford University. They alerted us of a security issue concerning the Passpack It! button (aka 1Click Login bookmarklet). Not to worry. We fixed it immediately (within 20 minutes of being notified to be exact.
UPDATE BY TARA, OCT. 12:
I’d like to give more information on the nature of the issue and how we fixed it. I apologize as this information should have been included in the the original post, it was not.
How the issue was discovered — The three researchers mentioned above are preparing an in-depth study on bookmarklets. The Passpack It! button is one of them. We were able to quickly fix this thanks to the open collaboration of the research group.
An example in Layman’s terms — Jack opens his Passpack account and turns on 1 Click Login. Jack starts browsing the internet and happens upon a malicious website built to fool him into pressing his Passpack It! button. Jack falls for it and presses his button. The malicious site then pretends to be, for example, delicious. If Jack has an entry saved in his pack for delicious, the site would be able to retrieve the login credentials for delicious.
The scope of the problem — The malicious site needs to include code written specifically for the Passpack 1 Click Login, generic code would not work. Additionally, Jack must be effectively fooled into clicking his button when visiting the site. This may be achieved by typical phishing techniques where the malicious site has copy-catted another well-known site. Jack must both have an entry for the copycatted site in his account and have 1 Click Login activated in that exact moment.
What we did to fix this — We now strictly enforce that server only responds to calls from the 1 Click Login button that are accompanied by a referring URL.
What it means for you — This will cause sites that repress the referring URL to not work with 1 Click Login.
Button reinstall is not needed — Initially, as you can see in the crossed out section of this post below, we thought it best to require a button reinstall. In fact, our first fix involved both a server side change (refusing to accept no-refferer) and a change to the 1 Click Login button itself. However, by simply ignoring the collected URL information, we can achieve the same effect without having to enforce a button reinstall on everyone.
Please Delete your current PasspackIt! button! It will no longer work. Then simply reinstall it by going into your Passpack Account >> Auto-login tab >> Install a new button. If you still need help, feel free to submit a request for assistance here.
Sorry for the inconvenience guys.
Thanks Adam, Ben and Collin!