User seeing passwords for vault they don't have access to?
A few times now I have noticed on 2 different accounts that users can see passwords that they shouldn't have access to? Is this a known problem? It seems to be specifically related to the newer web browser plugin (and not the desktop app).
The first time I noticed it was in my family account, when my wife was seeing passwords that I had put into a vault for old work related items - and so I was surprised when I used her computer that they were offered as prompted suggestions. Initially I put this down to the web-browser plugin not honouring vaults that have been marked as excluded (and I think this is a bug, which I don't know if its been reported).
However, we use 1Password in the office now, and a user has just triggered a 2FA message as he tried to login in with an account in a vault that he doesn't have access to. He has sent me a screen shot of the completion - and I don't understand why he has access to this password when its in a vault that he isn't privy to. As this is a newish user, that previously had a guest account and we just upgraded him to a full account (so deleted and re-added), and that full account was setup with a single vault access - I am surprised by this observation and it strikes me as being a security issue in its own right?
Is there something that would explain this? How can we help diagnose something that could be quite a serious issue?
Thanks,
Tim
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hi @365nice,
If you have permissions to view data in a particular vault, the items and credentials within that vault will show up in your view after you unlock 1Password. It's possible something else is going on here, so let's get this moved over to email and take a closer look.
You can send an email to businesssupport@1password.com from your team or business account's registered email address so we can continue the conversation there.
After you have sent the email, please feel free to post the ticket number you receive so we can locate your message and connect it with this forum discussion.
0 -
Once you determine the root cause, please let us know what the issue was (so we can be sure to avoid it).
0 -
Thanks for coming back to me - as described, a new user seems to have been prompted in the 1P plugin with a login in a vault I don't think we gave them access to - so its very strange (and a bit worrying). I will contact you as described, but this thread might be useful in case others have seen this too (and its something you might not realise). I won't rule out user error either - but the example is specific enough that it caught my attention.
0 -
Perfect. I'm able to see your email in our system and I have replied, @365nice. 👍
ref: 35110
For some background, to effectively troubleshoot these types of scenarios, we often need to inquire about account setups and device configuration. To avoid sharing private information in this public forum, this is best handled privately through email. Of course, any findings can certainly be shared here so others can take a look if you'd like to do so.
0 -
For future reference for anyone experiencing this issue - we tracked the problem down to some vaults that had inadvertently been given "Team Members" access - which of course means - all team members can view that item.
As a note to 1Password - it could be handy if 1Password had an option to explain why someone can see something (this is something that Atlassian Jira actually does well).
I've relayed this in my ticket @ag_max - and appreciate your patience with helping me investigate the issue.
Tim
0
