Minor information leak when using Teams

pcherna
pcherna
Community Member

Using 1Password on the Mac, I am a member of a team. The team-supplied passwords are hidden from me (no option to reveal). All I can do is launch a website using one of those passwords, and that's fine.

However, if a password from a Team vault matches one in a personal vault, I can see which entry, and thereby learn the password for the entry in the Team vault. (Obviously this won't be an issue with random generated passwords, but not everyone's there yet.)

The solution would be to suppress the check for duplicated passwords, for entries that you don't have view permission.


1Password Version: 7.3
Extension Version: Not Provided
OS Version: OS X 10.14
Sync Type: 1Password

Comments

  • This seems to be another example of why password reuse is a bad idea. :) But you're absolutely right, we probably shouldn't be revealing this information, even with the best of intentions. We do have an issue filed for this that development is evaluating.

    Ben

    ref: apple-3554

This discussion has been closed.