Since when, wow?! I thought they supported just Duo for their business tier! I read all their email communication, etc., and I didn't know about this! They need to do a better job of communicating things to customers as this is groundbreaking!
This is suspicious. They have the VPN traffic, now they want passwords. Encrypted of course, but still. The trust just isn't there. The company is too young. I don't trust them just because they have great design and UX.
Just for the heck of it I created a test account with their password manager with a few honeypot accounts on a VPS server.
Within 2 hours one of the "honeypot" SSH accounts I put in my password manager was accessed with the creds I provided in the password manager. Now I understand there is internet wide scanning but a succesfull login with a random 12 character username and password I had in my password safe is very unlikely to be a random bot account.
Tomorrow I might have a bit more time to throw a few more honeypot accounts in there and see if they attempt to login.
For the time being I would highly discourage anyone store their passwords there.
(using a random throwaway account for obvious reasons, I don't want any retaliation against my startup on my main account from these guys.)
Really sickening that this sort of stuff is going to inevitably be aggressivly marketed to unsuspecting people. Tunnelbear(same company) is shilled extremely hard by youtube tech content creators who should know better, to people who trust them.
Most analysis I can find (admittedly, I've only tried a few variations of the search on Google) says TunnelBear is a relatively decent paid VPN. Are you implying TunnelBear, the company, shouldn't be trusted? If not, why not?
This is not a widespread issue by any means. All the reputable online password managers that I have tested so far in the last several years haven't attempted to access any of the honeypot accounts. I'm a pentester by day so this is more of a side hobby I do in my off time.
This type of behavior one would expect from a sketchy site so these early test results are somewhat surprising to be honest. I will be doing further testing in the next few weeks by throwing a few more honeypot accounts in different accounts created under different ip's. What I'm curious about is whether they do a bulk search for a keyword such as "SSH" across their database or do they target accounts from a certain geographic location and not touch others.
Another possible theory is that the site has a weakness and has been breached but they are just not aware of it. At this point it's a bit too early too tell though.
I encourage other people to test this on their end as well. It's actually very easy to do, spin up a vm image in the cloud, throw some test creds and see who falls for the bait. I keep a simple spreadsheet with unique usernames in one column and the service I stored those honeypot accounts in the next column. If one of those are accessed then I know for certain which services not to trust.
Oh man, I thought you worked for remembear and were outing them! This makes way more sense. And yea, that's really clever, but you really think they'll still be trying this after posting about it publicly?
21 comments
[ 3.7 ms ] story [ 61.5 ms ] threadhttps://support.1password.com/two-factor-authentication/
They also support 2KSD on all hosted accounts
https://support.1password.com/secret-key-security/
Ergo: master password + secret key + OTP
Within 2 hours one of the "honeypot" SSH accounts I put in my password manager was accessed with the creds I provided in the password manager. Now I understand there is internet wide scanning but a succesfull login with a random 12 character username and password I had in my password safe is very unlikely to be a random bot account.
Tomorrow I might have a bit more time to throw a few more honeypot accounts in there and see if they attempt to login.
For the time being I would highly discourage anyone store their passwords there.
(using a random throwaway account for obvious reasons, I don't want any retaliation against my startup on my main account from these guys.)
Since you're anonymous anyways, why not just tell us what you know? Are they breached or is the platform itself some sort of trap?
Another possible theory is that the site has a weakness and has been breached but they are just not aware of it. At this point it's a bit too early too tell though.
I encourage other people to test this on their end as well. It's actually very easy to do, spin up a vm image in the cloud, throw some test creds and see who falls for the bait. I keep a simple spreadsheet with unique usernames in one column and the service I stored those honeypot accounts in the next column. If one of those are accessed then I know for certain which services not to trust.