Tuesday, 20 October 2015

1Password Password Manager Metadata Leaks

The popular Password manager 1Password appears to be leaking metadata from users, a problem that already in 2011 was noted. This time it's Microsoft engineer Dale Myers who discovered that metadata users is stored unencrypted.

1Password has a feature to support Dropbox synchronization between different devices. In addition to that store different files, including an unencrypted JavaScript file containing the names and addresses of all items stored in 1Password. This JavaScript file is accessible to third parties, warns the engineer.

"Anyone who change the link on the login page of me knows keychain can link and retrieve the file." This could especially be a problem for people with accounts for certain websites which they do not want others to know this. This problem only occurs when AgileKeychain format of 1Password and not the newer OPVault. Myers calls the developers of 1Password therefore to make this the only supported format.

In addition, Myers also presents another problem, which attackers can use the metadata to change a password if the user wants to reset his password, but not beyond the reset page has come. In this case, the reset link can be stored as metadata. The Microsoft engineer states that in 99% of cases is not a problem but in certain cases. The problem, according to Myers increased because some people link to their keychain to have on their website and in some cases is indexed by Google.

The developers of 1Password were informed by Myers, but let it be known that this was a deliberate design choice. In addition, the AgileKeychain is an older format in 2012 was replaced by OPVault. Still, Myers is also about critical, as when creating a OPVault on Mac OS X the user must provide a password hint to be stored unencrypted. Myers himself used 1Password for years. Through his findings in the Password Manager confidence is shaken. Yet he is not going to move.

No comments:

Post a Comment