Unknowingly gave full access to all vaults
I consider this to be a critical bug in the web UX for 1Password.
I have a family shared plan that I use for myself and my spouse. We have individual "Private" vaults, and one "Shared" vault between us.
Today I created a new vault to share separate logins with my brother, "Rental House". This was meant to be the only vault that he can see.
I went through the flows for creating a new user, new vault, and shared the "Rental House" vault with him. He informed me afterwards that he had access to my "Shared" vault as well. Had he not told me this I would not have seen that problem. Attached is a screen shot of the Person Details screen. This screen does not indicate that he has access to any vault other than "Rental House", but he can see my "Shared" vault too.
I've suspended his user until I can share only the "Rental House" vault with him, and am happy to do that without additional help. However, I think the 1Password team should update this UX to indicate all shared vaults in the Person Details screen. As it stands this is a major security hole.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hello @mlaszuk! 👋
I'm sorry for the confusion. There are three different types of vaults available with 1Password Families memberships:
- The Private vault: each family member has their own Private vault and this is where they can store items that are for their eyes only. You can't share your Private vault with another family member.
- The default Shared vault: items in the default shared vault will be seen by any family member who is part of your 1Password Families membership. You can't edit the permissions of the default Shared vault.
- Custom shared vaults: items in a custom shared vault will be seen only by family members who have access to that particular shared vault.
The "Person Details" page lists the custom shared vaults whose permissions you have the ability to edit. Since the permissions of the Private vault and the default Shared vault can't be edited they are not listed on this page. That being said, I can certainly see where there is room for misinterpretation here and I've filed an internal request on your behalf with our product team to see if we can improve how the "Person Details" page works in the future.
In the meantime, I suggest one of the following options if you'd like to grant your brother access to only one vault:
- You can invite your brother as a guest so that he has access only to a single vault: Share with guests in 1Password Families
- You can create a new custom shared vault only for yourself and your spouse, move the items from the default Shared vault into the custom shared vault, and then delete the default Shared vault. Once deleted, the default Shared vault can't be recreated.
Please let me know if you have any questions. 🙂
-Dave
ref: IDEA-I-2397
0 -
Thanks for the quick reply. I hope your product team understands how this would open unintended access to the Shared vault in some cases.
0