top | item 34480609

(no title)

They don’t have access to the ssh private key. They have access to the encrypted password file (and presumably not the password used to encrypt it).

The attack works when the user doesn’t realize they’re sending their SHH private key through the password form of malicious-site.com.

Something like accidentally putting your Google password into the Dropbox login form. Dropbox have now seen your Google password.

discuss

eduction|3 years ago

No, they clearly have access to the private key, otherwise they couldn’t copy it onto the path where the password is normally stored.

Also, they don’t need any password to encrypt the file, pass uses gpg encryption so they can just use the public key which will be sitting somewhere nearby.

NicolaiS|3 years ago

You are misunderstanding the attack. The attacks requirement is: replace two encrypted files (e.g. by gaining access to someone's dropbox that contains the synced db), wait for them to leak "secretA" on "siteB" because `pass` doesn't securely bind secret and sites together. The attack is very realistic and high impact (but hard to perform).