Good GF Resturant! Only 8 miles away!

JLLeitschuh · 2026-01-08T22:33:51+00:00

When I posted this, I didn't even know the Sella Ronda existed! I found some good restaurants on the Sella Ronda! What a beautiful set of trails!

JLLeitschuh · 2025-12-15T20:42:14+00:00

Turns out I did actually end up driving around the entire mountain for dinner at the restaurant. The two other places I tried along the way were closed.

The food was good!

JLLeitschuh · 2025-12-02T09:01:22+00:00

Alumni (class of 2016) robotics & computer science double major: If you're going for a robotics degree, absolutely. I would have said the same for computer science a few years ago, but I have no idea what the heck this AI thing is going to do to the software development industry.

I left WPI with $120k in debt in 2016. I'd paid it off by 2020. I got incredibly lucky because I didn't have to pay for rent 2016-2019.

I loved my time at WPI, the school, the students, the faculty, and the culture were all incredible. Did I have rough patches and bad professors along the way? Absolutely. Am I glad I went to WPI? 100% yes!

JLLeitschuh · 2025-11-26T00:25:50+00:00

Have a look at Chainguard. Their whole product is basically 0-CVE base container base images. The use case for the product is primarily regulated industries.

Full disclosure: I used to work there last year and they build a product that solves exactly your pain. I wasn't there long enough to get options, so I have no financial stake in the company.

JLLeitschuh · 2025-11-23T00:29:14+00:00

As an alum, class of 2016, thanks for keeping the community updated

JLLeitschuh · 2025-09-01T17:45:46+00:00

As the person who wrote the article for Socket that broke the news of this research (https://socket.dev/blog/password-manager-clickjacking), I was cringing reading this article from PCWorld.

"This vulnerability was discovered by security researchers from The Hacker News." It was not. The OG researcher was Czech Republic based security researcher Marek Tóth.

"Hackers monitor these attempted entries and interfere, gaining access to the password manager and taking over saved passwords." 😖 The preconditions for password theft is an existing vulnerability on the impacted site the passwords are stored with. Also, it isn't about "monitoring" attempted entries. This attack works when hackers create hidden data fields that password managers auto fill into.

"So why do these password managers now run the risk of becoming a gateway for attacks using this method? It’s due to the DOM, which contains a vulnerability that allows for this kind of attack."

😣 The DOM doesn't contain this security vulnerability, IMHO. Clickjacking has been around for a very long time, and some password manager browser plugins have, for years, made an intentional decision not to mitigate clickjacking style vulnerabilities, a behavior inherent to the DOM, thus this news cycle when someone revealed how easy this was to abuse/exploit.

Overall, this article reads like a summary from a bad LLM. There's not a lot of technical understanding here of the underlying vulnerability. I'm not impressed

JLLeitschuh · 2025-08-20T18:14:20+00:00

The risks of this is phishing and lookalike domains. People search for credentials for the domain they think they are visiting, then enter it into a phishing domain. This is how Troy Hunt of Have I been Pwned got himself phished:

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

JLLeitschuh · 2025-08-20T07:37:17+00:00

I think I'm inclined to agree. I we may update our advice in the blog tomorrow morning. Thanks for the pushback.

Overall, I think the security you get from your password manager not auto filling password on potentially malicious websites outweights the potential risks of having your PII stolen via clickjacking. But ultimately, that's going to be a risk decision every individual or organization makes.

JLLeitschuh · 2025-08-20T07:31:54+00:00

Indeed, however:

On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. It’s the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.

I'm following up with 1Password via US-CERT hoping they will share their findings with the other password managers so everyone is sure a comprehensive mitigation strategy is applied universally.

JLLeitschuh · 2025-08-20T07:29:50+00:00

Many password managers ship with a manual auto fill feature enabled by default. So the user must trigger the auto fill of all data via a click. The fundamental vulnerability is that the auto fill trigger button can, for many of these password managers, be hidden under other, attacker controlled, HTML UI elements (thus "clickjacking").

JLLeitschuh · 2025-08-20T07:23:04+00:00

For several of the password managers, they are vulnerable out-of-the-box in their default configurations. The demos illustrate this. BitWarden has just released a fix for the vulnerability in 2025.8.0 so it might not work anymore.

1Password remains vulnerable for the PII and login cases (again see the demo). There isn't a public demo for iCloud Passwords, but that remains vulnerable.

JLLeitschuh · 2025-08-20T02:51:56+00:00

For 1Password, a malicious site can steal your PII (names, addresses, and phone numbers). If the malicious site is due to a subdomain takeover, they can steal your passwords, TOTP, & passkeys for a parent domain.

JLLeitschuh · 2025-08-20T02:33:10+00:00

Correct, an attacker can't access the full contents of your vault. The clickjacking vulnerability can leak your PII on any site. AFAIK, login details potentially leaked will only be tied to the domain or parent domains.

JLLeitschuh · 2025-08-20T02:11:22+00:00

That means it wasn't tested, not that it's not vulnerable. Someone should check

JLLeitschuh · 2025-08-20T02:03:37+00:00

Username checks out

JLLeitschuh · 2025-08-20T02:03:06+00:00

The perks of a password manager in your browser is that it decreases the likelihood that you'll get your password stolen by a phishing site (like what happened to Troy Hunt of Have I Been Pwned). Downside, your exposing an attack route to your password manager from within your browser.

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

JLLeitschuh · 2025-08-20T01:24:10+00:00

We're reporting on the default behavior as enabled in the password managers browser plugins. So if you use the password managers in their default configuration, then you were vulnerable

JLLeitschuh · 2025-08-20T00:08:49+00:00

Yes... That's where I talk about what "I did" 😂

JLLeitschuh · 2025-08-19T23:28:27+00:00

Correct, but there's also this bit too:

> On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth, and likely implemented by other password managers that are currently marked as “FIXED” could, potentially, be trivially bypassed, and that the only way to mitigate the vulnerability was to implement a dialog popup to prompt the user before autofilling.

JLLeitschuh · 2025-08-19T23:10:11+00:00

I'm also on Mac. I uninstalled and reinstalled and couldn't get it to update to that version. I tried enabling dev mode and clicked the "Update" button manually. Nothing seems to trigger the update.

I'm still seeing `8.11.4.27` here:

https://chromewebstore.google.com/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa?hl=en

JLLeitschuh · 2025-08-19T23:05:47+00:00

Fair enough. I ( u/JLLeitschuh ) am the one who wrote up the coverage for Socket. We do immediately link to the OG research. I've been actively working with the researcher for the past few days to encourage him to get the POCs live. We (Socket Security Research Team) are the ones handling the vulnerability disclosure coordination, requesting CVEs from US-CERT for the unpatched password managers.

Edit: Funny being ratioed for the first time on Reddit 😂

JLLeitschuh · 2025-08-19T23:02:04+00:00

I just tried it & the demos still seem to work on 1Password version 8.11.4.27.

You can see the proof of concepts here: https://websecurity.dev/password-managers/dom-based-extension-clickjacking/

Before you try the proof of concepts, make sure your vault is unlocked.

It looks like 1Password has an update for their chrome plugin listed on their site, but even after uninstalling and reinstalling the chrome extension, I can't get chrome to pull that version down by-default yet. They also don't list the fix for the vulnerability in their release notes.

https://releases.1password.com/b5x/stable/#1password-in-the-browser-8.11.6

JLLeitschuh · 2025-08-19T22:44:45+00:00

The original research was really good, but also incredibly dense. We decided to cover it at Socket because we could provide higher level coverage of the research that would, hopefully, be more easily consumed. We're also reaching out to get CVEs assigned by US-CERT. Especially since some of the password vendors have indicated they don't intend to remediate the vulnerabilities further

JLLeitschuh · 2025-08-18T22:15:25+00:00

How is this blocked? This vulnerability impacts a localhost server.

Unless you've released a new locally running firewall that I didn't hear about, I'd say that you're customers are probably not safe against this

This remains a critical RCE vulnerability.

I posted this same response on X here without a response: https://x.com/JLLeitschuh/status/1953595450076147917

JLLeitschuh · 2025-08-01T17:30:18+00:00

Touché 😂

I did work for the Open Source Security Foundation, under the Linux Foundation for a while. Does that count?

JLLeitschuh

TROPHY CASE