(backdoor in?) 1password application tries to connect to strange website

heliumcraft
heliumcraft
Community Member
in Mac

why is 1password trying to connect to asia.nikkei.com ?
http://i.imgur.com/3TEr83j.png

Comments

  • Stephen_C
    Stephen_C
    Community Member

    I can conceive of no earthly reason why 1Password should wish to connect to that site unless you ask it to do so. Somebody on this forum reported a couple of months ago that 1P was trying to connect to some random website but I can't for the life of me recall at the moment what the solution was. All I can tell you is that it certainly wasn't a back door in 1P, or anything that 1P was actually trying to do.

    What are you doing on your machine when you receive that message? Are you trying to log in to the site, or trying to save a login, or is the message completely random?

    Stephen

  • heliumcraft
    heliumcraft
    Community Member

    @stephen p‌ after investigating this further. it seems that (hopefully) this is a side effect of little snitch doing a reverse dns lookup. the ip associated to that website is also used by 1password services. possibly because it's not a dedicated IP and is instead in some shared server or something like that.

  • Stephen_C
    Stephen_C
    Community Member

    There is (a rather old, I think) knowledge base article which explains what servers 1Password will access when you have rich icons (1P > Preferences > General Use rich icons) enabled.

    Just in case you can't access that link the article includes the following:

    If you enable Show Rich Icons then 1Password will attempt to fetch icons for Logins and Software listed in your data from: d2x2f6qan2kccj.cloudfront.net.

    We do not see the IP addresses for any connection, and indeed we only log “misses” without IP address. Logging the misses helps us see what images do need to be added.

    Although it may not be possible for us to collect IP addresses of requests coming in to the Rich Icon image server, uses should assume that it is possible for Amazon to do so if they wish to or are compelled to.

    There may be a more up to date knowledge base article which is relevant but, if so, I can't for the life of me find it just now.

    Stephen

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @heliumcraft‌

    Sorry for the scare. You're quite right with your deductive findings, it's just reverse DNS lookup on our CDN. I believe if you alter LittleSnitch to allow to our specific address the heart-stopping notifications will disappear.

    I have two rules, I allow https to d2x2f6qan2kccj.cloudfront.net and aws.cachefly.net and those two rules have resulted in zero 1Password/Little Snitch queries ever since.

This discussion has been closed.