Questions regarding a security incident

[fisadev]

Hi! This is a somewhat complex issue, I'll explain what happened and then explain why I'm asking about it here.

Chronologically:

1. Years ago, I created an extra google account, just to "reserve" my real name as user name. Then never used that account again, it's just there, with no activity since years ago. Never used it to login to any other site, etc.
2. Two days ago, I decided to start using a password manager. I configured pass in my linux laptop, and decided to use Android-Password-Store on my android, with a bitbucket git repo for synchronization. I inserted all of my passwords at my laptop (pass), then pushed, then cloned the repo from the android app, and opened some of the passwords to check if it was working (it was).
3. Today I received an email from google, telling me that (literally) somebody has my password for that account. That someone tried to login to that account from the US (I'm from Argentina), and they stopped it because it was suspicious.

Important things:

• My phone is a nexus 5x running google's official rom, no custom rom nor carrier modifications, just the vainilla google approved android.
• I'm using OpenKeychain as PGP provider in the phone. Imported my keys as explained in the README of this repo (gpg --export-secret-key ... etc).
• Both apps were installed from the google play store.
• The gpg key I used is new, with a password I never wrote down anywhere. The only place I ever wrote the password (the key password, not the google account password) is the gnome dialogue when unlocking the key, and the android dialogue when unlocking the key (trying to check if the app was working, remember?).

I'm posting it here, because as far as I know, there are four possible ways someone could get my password, and one is a leak in the android apps. The possibilities I can think of: google itself, bitbucket repo, the android apps, pass in my laptop. All of them sound quite unlikely, but there must be something, that account+password never went anywhere else.

Any thoughts?

[zeapo]

Hi @fisadev

That is worrisome. Two questions in mind:

• Was your username in the title of the password file or in the extra?
• Did you open (decrypt) that password using the android app or the command line since you set it up?

[fisadev]

@zeapo answers to your questions:

• The username was in the title of the password (file name). I'm starting to realize that was a bad idea. And has some other ramifications, details below.
• I think I opened that password using the android app. I checked it opening a few passwords, and I think this was one of those, but I have no way of being sure.

Ramifications and important new information:

When I posted the issue, there was a bit of information I didn't know: that pass stores the title of the password in clear text, in the password file name. I thought both the password itself, and the title, were encrypted. Now I know the title isn't.

Why is this important? Because I did use the password for other services which I considered "secure". I didn't use the google account, but the password itself was the same in a few other services. I was confident in doing that because that account was never related to any of those services, it was an unknown account. But that's no longer true, since I now know that bitbucket can see the account name in clear text. And also, maybe, other apps in my phone? How secure is the cloned repo in the phone?

Still, this is strange: to do the connection, someone must have:

• know/hack/leak my password from one of those other services
• have access to the bitbucket repo, either on bitbucket, my laptop, or my phone, to do the connection by seeing the repo files and realizing I'm the same owner of both accounts
• decide to try the other service password with the "secret" account they found in the repo

The repo is private in bitbucket, but I don't know how "private" is in the android app cloned copy.

[fisadev]

I just realized there is another possibility: if someone had known my password in those other services, and they had my real name, they could have "guessed" the google account by trying combinations with my name, last name, name first letter, etc. But that happening two days after I started using pass+the android apps, after years of nothing happening with that account, would be a very strange coincidence.

[zeapo]

I see. First things first, if you selected "Hidden" storage, your passwords will be stored in the data directory of the app. No other app is able to access it unless you have a rooted device and you allow it explicitly. Second, your passwords are encrypted using your pgp key. If that key has a passphrase then neither the app nor anyone else could read your password unless you explicitly give the passphrase. The passphrase is 100% handled by OpenKeychain, and it's the only application on your phone that has your passphrase for a short duration (it has a cache). Same thing happens on your computer, except that it's gpg-agent that keeps a cache of your key if you request it.

With those two elements, for an attacker to access your username/password, that attacker would need root on your device, bypass the sudo request (or be preauthorized) on your phone. Go to that password file, recovers it to his device, get your private pgp key from gpg/OpenKeychain, get your passphrase through a keylogger and finally combine them all to get your password.

Another way, would be for the attacker to compromise either pass or the android app (you have the source code of both). MITM your connection and serve you an apk signed with the right keys (The play store version is signed by me, and I am the only person with that key, the F-Droid version is signed by F-Droid and they're the only one with that key) and serve it to your phone/computer. In the case of your phone, OpenKeychain will detect a change in signature and refuse to authorize the application.

Finally, re-using the same password on different services is a major security flaw. LinkedIn, Dropbox and many other major services have recently been compromised. That's why password managers are important.

I hope I answered your questions.

[fisadev]

Just a small update, in case anyone is interested: today I got a second email from google regarding another email account of mine, again compromised, password known by a third party who tried to login and google stopped them.

This account was secret. The account name itself wasn't written down anywhere. The only place where I have texts mentioning that account, is my gmail inbox and a facebook account created with that email (mails regarding the account creation, etc, from 2011)... but the password was written down. Again, the password was written, but not associated to the email in any form. (It was an account made to test some facebook api stuff, and to use if someday I needed to send something annonymous).

Someone had to be able to extract the email from somewhere, and associate that email with my entry in the repo/pass/mobile apps. This is getting scary, someone is clearly targeting me, and has access to things I considered quite safe...

[fisadev]

Ok, I have really good news. It seems to be a gmail bug. I have explained everything here: http://blog.fisadev.com/posts/suspicious-logins/

Thanks for your attention, sorry to bother you with something that turned out to be unrelated to the project.

[zeapo]

That's great!

Thanks for the info :)