Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • September 27, 2016, 03:48:08 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: 1Password Leaks Your Data  (Read 1177 times)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,650
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
1Password Leaks Your Data
« on: October 18, 2015, 09:40:52 PM »
Quote
For those of you who don’t know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software. 1Password originally only used the “Agile Keychain” format to store their data (not including when they were OS X keychain only). This format basically stores your data as a series of JavaScript files which are decrypted your data when you supply your master password. Since the files are JavaScript and implementations of various crypto algorithms exist in JavaScript, there was no reason why AgileBits couldn’t come along and make a HTML and JavaScript client for viewing your data, so they did.

If you browse to your .agilekeychain “file” on disk, you find that it is actually a directory. Inside this directory is a file named “1Password.html”. If you access this file over HTTP (note that using the file protocol won’t work), you will be greeted with a grey page which has a lock image and a password field. Enter your password and your keychain will unlock and you have a read only view of your data.

So what’s the problem? Well, it turns out that your metadata isn’t encrypted. I discovered this after having a sync issue with Dropbox (I use Dropbox to host my keychain). The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.

The implications of that are rather serious, in some cases. To understand just how serious and hear what 1Password had to say about all of this, read the full article.

http://myers.io/2015...ord-leaks-your-data/

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,269
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: 1Password Leaks Your Data
« Reply #1 on: October 19, 2015, 12:28:11 AM »
I just checked this with mine.  Everything is correct, up until the last line.  There are no passwords stored in that file.  Just the addresses of the sites.  An example from my file for DonationCoder:

["redacted a guid","webforms.WebForm","DonationCoder","http://www.donationc...ex.php?action=login2",redacted an integer,"redacted another guid",0,"N"]

I redacted parts just in case (2 guids and a number), but none of them were passwords.  I might wish that the sites were not stored in this manner- but the passwords are just not there.  I even looked for a couple in the file and the directory that I know are stored in my 1Password, but none of them are in any of the files.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,650
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: 1Password Leaks Your Data
« Reply #2 on: October 19, 2015, 08:59:27 AM »
I just checked this with mine.  Everything is correct, up until the last line.  There are no passwords stored in that file.  Just the addresses of the sites.

The article never said it was leaking password data.

The meta data can present just as much of a privacy or security issue, in some cases, depending on what's in there and where you store your keychain file. It's pretty much a list of every site you have a login on. And as the author stated, it could also contain password reset URLs that are not one time usage urls.

1Password has always known about this issue but doesn't seem to really care about it (it was a deliberate design decision), and doesn't inform their users about it. I wonder how many of their users just assume this data is all encrypted, because they haven't been told otherwise.

People get upset when their government wants ISPs to save a history of every URL visited by each of their customers, to be made available to them upon request, calling that an invasion of their privacy. How would this kind of data about 1Password users, made available to the public in plain text (depending on where you store your keychain file) be any less of a privacy risk?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,269
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: 1Password Leaks Your Data
« Reply #3 on: October 19, 2015, 10:21:27 AM »
People get upset when their government wants ISPs to save a history of every URL visited by each of their customers, to be made available to them upon request, calling that an invasion of their privacy. How would this kind of data about 1Password users, made available to the public in plain text (depending on where you store your keychain file) be any less of a privacy risk?

Point taken about the passwords.  I read that wrong.  Which, to me, makes it a lot of sturm und drang with no foundation.  The difference in your analogy is that the ISP is not under your control.  This data is.  Just like if you store a list of URLs then post it on the net.  Why would you post this information in a publicly accessible location?  You wouldn't, from my estimation.  And if you do... then that's your fault, isn't it?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,264
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: 1Password Leaks Your Data
« Reply #4 on: October 19, 2015, 11:17:32 AM »
1Password has always known about this issue but doesn't seem to really care about it (it was a deliberate design decision), and doesn't inform their users about it. I wonder how many of their users just assume this data is all encrypted, because they haven't been told otherwise.

I'll go with the perilously close to 100% range. Aaannnddd... Therein lying the problem, because with the false assertion that all is fine-ly encrypted more people will be prone to expose the file publicly (for their on access/convenience) and subsequently end up hemorrhaging much useful personal data.


All data is (mis)useful...it's just a matter of figuring out how.

hamradio

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 674
  • Amateur Radio Guy
    • View Profile
    • HamRadioUSA.net
    • Read more about this member.
    • Donate to Member
Re: 1Password Leaks Your Data
« Reply #5 on: October 19, 2015, 12:45:14 PM »
Also the case of what about web browser history if you don't clear the history/cache all the time and have one of those reset password website addresses in it that doesn't expire? Same thing going on there I would think especially if computer was compromised...
Carroll - HamRadioUSA.net
« Last Edit: October 19, 2015, 12:52:03 PM by hamradio »

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,717
    • View Profile
    • Donate to Member
Re: 1Password Leaks Your Data
« Reply #6 on: October 20, 2015, 02:27:04 PM »
It seems there's more to the story, and a fix is on the way:
Quote
The team introduced a new format called OPVault in 2012 that encrypts a lot more metadata. Concerns over backwards compatibility with Android, Windows and Dropbox synching, however, convinced them to take a conservative approach and not automatically migrate everyone over to OPVault.

Myers’ post, the team said, reminded them that it was time to make the switch to the new format. As such, they’ve already started transitioning to OPVault. For those that don’t want to wait it out, it’s possible to manually make the switch using these guides for Mac, Windows, iOS and Android.
http://www.techspot....data-encryption.html

- Oshyan