Contents.js file contains unencrypted metadata

[Deleted User]
[Deleted User]
Community Member
edited March 2014 in Mac

I just stumbled onto this because my Mac Dropbox informed me of an updated file ("contents.js") I wasn't aware of saving. Turns out 1Password did it.

No problem with that - - but, when I had a peek at it, I find a LOAD of data in that file (which FINDER can readily display for me and which pops up nicely in Safari too) that I would rather not have on relatively public display!!

That's not to say that Dropbox is "public" - but breaches happen - and this file displays information that's nobody's business but my own.

Would appreciate some commentary on this by AgileBits.

Please and thank you.

Comments

  • Ben
    Ben

    Hi @PeterW‌

    We have a conversation available on this subject here:

    Metadata is not encrypted

    I hope that helps answer your question.

    Thanks!

    Ben

  • johnplanetz
    johnplanetz
    Community Member

    Hi there,

    I was just startled to discover this as well, after setting up dropbox sync. I can see URL's and item titles in the clear in the contents.js file.

    I'm coming from Keypass, where I felt very comfortable with the security of my data. This situation leaves me feeling unsettled as I transition to 1password.

    I read through the other closed thread which Ben posted- which is from over a year ago:
    Khad said that the new Cloud Keychain 4 design encrypts or obfuscates everything, and that (as of the time of that post in March 2013), it was already in use for cloud sync and would soon be rolled out more widely. Great news!

    However, it is now May 2014 and 1password is at version 4.4- and dropbox sync is still using the old keychain format.
    I'm curious- have plans to roll out the improved keychain been scrapped? Or still in the works?

    Thanks,

    John

  • Megan
    Megan
    1Password Alumni

    Hi John ( @johnplanetz‌ ),

    You're correct, Dropbox is still using the 1Password.agilekeychain format. This is because 1Password for Windows and the Android Reader still rely on this data format. We're currently beta testing shiny new versions for both Windows and Android, and once these versions are released, we will be in a better position to fully roll out the new cloud keychain.

    Thanks for checking in on us - while I can't say exactly when this new keychain will be implemented across all platforms, we do still plan to implement this as soon as it is possible. :)

This discussion has been closed.