Report Security Related Bug

Options
Jake7705
Jake7705
Community Member
in Mac

Hello,
I believe I have found a security related bug that makes it possible to unlock multiple vaults with different Master Passwords using only the Master Password from one vault. I do not know if this is intentional, but it doesn't seem like a good idea (and it seems like the Master Passwords or similar for both vaults would need to be present in memory for the Master Password of one vault to open both).

Anyway, I can recreate this reliably, but I would prefer to discuss it privately, rather than posting on the forums.

I am running OS X 10.10.2 and 1Password 5 (510035) on a 2014 MacBook Pro with Retina Display - if any of that is useful.

Comments

  • MikeT
    MikeT
    edited January 2015
    Options

    Hi @Jake7705,

    The master password of the primary vault or the vault password(s) of the secondary vault(s)?

    It is normal for 1Password to let you unlock all secondary vaults using only your primary vault, that's by design. As long as you don't unlock your primary vault, the secondary vaults have to be unlocked with their vault password, they can't be unlocked with any other vault passwords.

    Your secondary vault keys are re-encrypted with your primary vault password in the database and does not leave the local computer. Your primary vault that you're syncing to other computers does not contain the secondary vault keys.

    Is this something you're seeing or are you seeing something else?

This discussion has been closed.