Why does 1password still install to the user’s local application directory?
I'm interested in 1password, mostly because of the automation options via the connect server.
So I started reading and reading, including security audit reports. In the last security audit handled by cure53, there is a 'high' described as follows:
1PW-18-003 WP2: Windows malware can trivially backdoor .html and .js (High)
This security audit took place end of 2021. At that time, 1 password commented the following:
[...] 1Password wants to get those trade-offs just right before they roll out a fix.
Another solution mentioned in the security audit report, is the use of an .msi, which actually installs in a much more secure location.
Almost 7 months later, I can see this issue is still not fixed in the normal installer. Neither a .msi available for 1password 8. In this community I can find questions asking for this .msi since november 2021.
I'm very curious why this "high" issue is still not fixed and why the workaround of the .msi isn't still available. Mostly, because backdooring of 1password 8 on Windows is so trivial, it's even described in detail in the public report.
What am I missing here?
1Password Version: 8
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided