Can we get a detailed explanation for the issue raised by mia RE: another user on their login page?
Specifically, the issue raised by @mia a couple of weeks ago wherein it appears that another user was listed on their 1Password login page. Link to the closed thread:
https://1password.community/discussion/124657/seeing-strangers-account-on-my-1pw-login-page
@mia also had an issue with data loss, having lost a few days of changes. With 1pw8 having gone stable on Linux and in release candidate status for Windows, it would be nice to know if that was confirmed as a bug and whether it's been fixed.
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hi @EnerJi
I can speak to both of these.
The bug where I experienced data loss was an incidence where Windows 1PW 8 was not syncing data for whatever reason. I was logged into Windows but none of the entries synced. Full disclosure I use simplewall as my software firewall but no changes were made before & after & 1PW 8 had full access to the network at all times. All other devices (iPhone & Mac) were syncing but the items I entered that night in my windows install did not get synced. Logging out and logging back into the Windows client **instantly **resolved the issue but all of my entries I had entered got wiped. I had to go back through my Chrome history and figure out what the specific accounts were and had to restore the accounts. To the best of my knowledge I have not seen the issue again looking at the changelog it was never diagnosed or resolved. I don't think the thread should have been locked as the other issue was already dismissed (see below) and had nothing to do with the issue, but shrug.
I've been using 1Password forever and have never experienced this before and the syncing otherwise has been stable and actually fairly more stable on the mobile client than Dropbox was. I work in IT and I can admit that sometimes the problem can exist between the chair & keyboard but in that instance, there was no way it was anything on my part. My 1PW software was not syncing, plain and simple. It'll be impossible to fix this as it's not reproducible and I don't expect AgileBits to exert any energy to try and investigate. I am crossing my fingers that this never happens again. I wish I had extracted diagnostic logs after restoring the sync though as it might have helped narrow the issue, but didn't think of it at the time.Regarding the other issue about "Ronish's Family" - it was never explained. I have no idea who that individual is or why his or her family logged had logged into my browser in Chrome. I was emailed by a member of the 1PW security team and was very respectfully told to scan my device for malware. The bottom line I was told that " both email accounts - yours and "Ronish's" have registered using this device".
I am an IT Director and used to work network security so I always recognize there's a chance of infection but I see absolutely no evidence of it anywhere. I ran Kaspersky scans and I run Simplewall software firewall in addition to hardware firewalls and there was no evidence of intrusion to this day.
The other suggestion was to ask my household, but there is no one else in my place that could have accessed my computer. My wife has never even touched my setup and my toddler doesn't know how to access it yet Lol.
When I'm not on it, it's encrypted with Bitlocker XTS-AES-256. I was not able to access "Ronish's Family" account and never saw it again on my 1Password.com web account after I removed it manually. My follow-up email was never responded to as I'm not sure they can do anything other than inspect IP addresses for my account (if that's available?)I never saw "Ronish's Family" account mentioned anywhere else on Windows, Mac, or my iPhone -- just on my 1PW web account. Was a little disappointed this was never dug into a bit deeper but I understand as AgileBits has a heavy development load to focus on right now. I was brushed off others as well and in every case there was an actual security breach at the company. I am guessing there is an explanation for this, but I honestly cannot guess as to what it could be.
0 -
Hi folks,
Thanks for following up on this. I can understand how a report like this would sound alarming. So many apps and services have designs that allow for such chaos to happen. The majority of services out there, in fact, have no protections in place to cryptographically prevent this, which is terrifying.
Thankfully 1Password is completely different. Security and Privacy are the foundation of our design. And this foundation is cryptographically enforced. This means it's not just a policy that prevents users from seeing other people's items but rather is mathematically infeasible for anyone to break into another account. And thanks to the Secret Key, this remains true even for accounts with weak passwords.
Long story short, because all 1Password data is cryptographically protected using the account password it would be impossible to access that data without that password and secret key. For anyone joining the conversation who might not be familiar, 1Password utilizes Two-Secret Key Derivation (2SKD), which is unique to 1Password. Frankly this is what allows us to sleep at night. It ensures that what is stored on our servers is of little if any value.
If you're interested in learning more about our security model we offer a guide which provides a good overview, as well as an in-depth 1Password Security Design White Paper. On the subject of privacy, we have a guide, and our formal privacy policy is also available.
@mia:
Was a little disappointed this was never dug into a bit deeper but I understand as AgileBits has a heavy development load to focus on right now. I was brushed off others as well and in every case there was an actual security breach at the company.
I'm sorry we gave you the impression we brushed you off. That wasn't our intent. We take account privacy very seriously and are unable to share details about other accounts. We did a full investigation internally and everything is as it should be. I can say that our investigation did not find anything wrong with 1Password.
Both security and privacy are foundational to our business. We appreciate that this report was made so that we could fully evaluate the situation.
Ben
0 -
Hi Soshiito,
Nice to hear from you! Hope you've been well. Yes that's my understanding as well. I have no idea how Ronish's family could have shown up. If you look at the realistic probability of this, chances are high this one is user error but I just don't see how. I trust the math (encryption) more than I trust myself Lol0