Silent update account data

dguskov
dguskov
Community Member
edited December 2019 in Mac

Hello!

I have two "1Password Account" records in the my vault. One my regular account and one "1Password Account Organiser" for family account organiser.

My regular "1Password Account" DO NOT store my master password.

After install new 7.4.1 1Pass and login at the new Mac, I see:

  1. My regular "1Password Account" now store my master password.
  2. "1Password Account Organiser" stored master password replaced by master password from regular "1Password Account"
  3. "1Password Account Organiser" stored Secret Key replaced by Secret Key from regular "1Password Account"

WTF ?!

A do not ask to modify records in the my vault.

Why 1Pass silently corrupt my "1Password Account Organiser" record?
A can see "1Password Account Organiser" master password in the Password History, but where is history for Secret Key ?!

Why 1Pass save my master password to the regular "1Password Account" record without any asking ?!

In what way I can RESTORE my Secret Key from "1Password Account Organiser" record?

UPD.

Please ask before changing stored data. Maybe tomorrow 1Password will decide to silently replace all my passwords with random data? Now I completely believe in it.


1Password Version: 7.4.1
Extension Version: Not Provided
OS Version: 10.15.2
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @dguskov!

    I don't think 1Password can modify data without you telling it to. Did you perhaps login to your personal 1Password account in a browser recently?

  • dguskov
    dguskov
    Community Member

    I am absolutely sure that at the moment of login to the account on the new device (in the program, not in the browser), 1Password modifies, at a minimum, the entry labeled "Starter kit". At least it saves the master password, which 100% was not there. Without any questions.

  • ag_ana
    ag_ana
    1Password Alumni

    @dguskov:

    Thank you for the confirmation. I have tried testing this here but I could not reproduce what you are experiencing, so I wonder if I am following some slightly different steps. As a quick test, can you please try removing the Master Password from your 1Password item, and use that account to login on a new device once again, to see if this happens again for you?

  • dguskov
    dguskov
    Community Member
    edited December 2019

    Ок. Let's try.

    I make trial account

    Remove password and set Secret Key to another string

    Make new macOS user account and start 1Pass from scratch.

    What is it?! My password?! And where is MY-SECRET-DATA string?!

  • dguskov
    dguskov
    Community Member
    edited December 2019

    Change my data again

    Go to the web and make sure data is synced

    Again - new macOS user - setup 1Password from scratch. And... MAGIC!!!

  • dguskov
    dguskov
    Community Member

    From this document https://support.1password.com/1password-security/

    A secret Master Password. Your Master Password is never stored alongside your 1Password data or transmitted over the network.

    It turns out that this is not true:
    1. Master password is saved without my desire
    2. Master password is transmitted over the network. In an encrypted form, to the 1Password server for synchronization, but still transmitted.

  • @dguskov

    If you remove the line for the password in edit mode it doesn't return, at least here for me it doesn't. Please see below.

    Your data is never leaving the computer, one of our very own @ben explains it here when talking about the Secret Key: https://discussions.agilebits.com/discussion/comment/534899/#Comment_534899

  • dguskov
    dguskov
    Community Member
    edited December 2019

    @ag_tommy

    Hello! Please see first screenshots series. I was remove password in edit mode and it's returns after set up new device.

    About my data. I was setup new device and enter my Master Password. 1Password store my Master Password in the Vault (why it do this?!) and my Master Password going over network (encrypted of course) form my computer to the 1password.com (inside my vault, but I did not ask for it)

  • Ah, I missed the portion of the create new Mac user account. This would indeed be the behavior, as its an entirely new linking to your account. It's the same as if you removed the Mac from the authorized devices and re-authenticated.

    I was able to locate this comment which states the starter-kit is updated as needed. https://discussions.agilebits.com/discussion/comment/485362/#Comment_485362

    However, the same information still holds, your data is not transmitted, in a nut shell its being read locally from the device.
    https://discussions.agilebits.com/discussion/comment/534899/#Comment_534899

    I think we could do better to ensure a user understands that this information is being read locally and not actually transmitted. Thanks for bringing this up, and I can see why it would cause concern.

  • dwradcliffe
    dwradcliffe
    Community Member

    This same thing just happened to me. I logged in on a new computer and the "starter kit" items were all updated with the same information and I just lost data!

  • @dwradcliffe

    I am not sure I follow. The starter kit only contains your account details such as email address, Secret Key, and Master Password. Each Starter Kit is specific to the account it was created in. Logging in on a new device would not cause you to have any data loss. If I am following you correctly.

This discussion has been closed.