Insecure quicklooking attachments in 1Password and 1Password Mini, UNEXPECTED DATA LEAK
1Password
Version 5.3 (530029)
Mac App Store
I am surprised and a bit disappointed, that quicklooking attachments store a temporary cleartext-copy on disk. These files are NOT removed after ending quicklook. So they may be stored for hours on disk and are backed up with time machine. This behavior is really not expected by me and I assume also not by other users. This also works without even running the 1Password.app, it is sufficent to do this quicklook in the Mini App. The files are located in subfolders of ~/Library/Group Containers/2BUA...... Would you please take this as a bug report and/or put this in the documentation and FAQ. Thanks, Thomas
Comments
-
Hi @bleek,
I've just performed a find command over the entire
2BUA8C4S2C.com.agilebits.onepassword-osx-helperfolder with Quick Look active but zero results were returned for any cache. If you can specify the exact subfolder that will would greatly assist us in investigating this matter.0 -
Bobby,
He was referring to the ~/LibraryGroup Containers folder, not ~Library/Containers folder. In my research I was unable to reproduce the problem, but I seldom use quicklook inside 1Password.—V0 -
Hi,
here some output from terminal with comments. I describe using 1Password mini for searching and showing an item.iMac2012:2BUA8C4S2C.com.agilebits bl$ pwd
/Users/bl/Library/Group Containers/2BUA8C4S2C.com.agilebitsthe directory is empty (only the App Store Receipts).
iMac2012:2BUA8C4S2C.com.agilebits bl$ ls -l
total 0
drwxr-xr-x 3 bl staff 102 Apr 7 17:35 App Store Receiptsafter quicklook an attachment (mark the attachment and press the space (no need to actually run the corresponding #app like preview or textedit) (pls. see the attached screenshots)
Then the second folder with two subdir was created with the decrypted (cleartext) attachment inside.
this file remains there even after ending quicklook (pressing space bar again), this at least should be avoided
iMac2012:2BUA8C4S2C.com.agilebits bl$ ls -l
total 0
drwxr-xr-x 3 bl staff 102 Apr 7 17:35 App Store Receipts
drwxr-xr-x@ 3 bl staff 102 Apr 25 08:15 com.agilebits.Attachments
iMac2012:2BUA8C4S2C.com.agilebits bl$ ls -l com.agilebits.Attachments/23CA338F04634E71928128DC99B1AAB3/3318C545B68A4E6FAF65794B68256697/Text-Attachment-TextEdit-V2.rtf
-rw-r--r--@ 1 bl staff 484 Apr 25 08:15 com.agilebits.Attachments/23CA338F04634E71928128DC99B1AAB3/3318C545B68A4E6FAF65794B68256697/Text-Attachment-TextEdit-V2.rtf
iMac2012:2BUA8C4S2C.com.agilebits bl$ ls -l com.agilebits.Attachments/23CA338F04634E71928128DC99B1AAB3/3318C545B68A4E6FAF65794B68256697/Text-Attachment-TextEdit-V2.rtf
-rw-r--r--@ 1 bl staff 484 Apr 25 08:15 com.agilebits.Attachments/23CA338F04634E71928128DC99B1AAB3/3318C545B68A4E6FAF65794B68256697/Text-Attachment-TextEdit-V2.rtf
iMac2012:2BUA8C4S2C.com.agilebits bl$This file remains readable on disk. These directories will vanish only after running 1Password and closing it again.
Of course you can also simply quicklook the attachment in 1Password app, the problem is the same. I only want to illustrate, that there is no need to actually run 1Password.What is my problem? These unencrypted attachments will be saved with time machine and that is unexpected behavior and should be avoided or at least documented. (I know, we can encrypt TM Backups, but that is not the point.)
Thanks,
Thomas
0 -
Take a look at this AgileBits post and see if it helps to explain things. (I appreciate you're using Quick Look rather than Preview but I imagine the point still applies.)
Stephen
0 -
This links explains the problem with opening the attachments with external applications. This is quite clear and easily understandable. The problem I described here is, that even when using quicklook (pressing spacebar in 1password) this problem exists. And on top even when ending quicklook the file remains accessable, In your agile post this is explained wrong in my opinion, I mean the last sentence.
So please change this behavior or make a clear advice in the docs. This all is unexpectable for the end user.
Thanks,
thomas0 -
Hi @bleek,
I agree with you. This is a problem. I've filed bug OPM-3041 so that we can get this fixed up. The unencrypted data is deleted as soon as the vault is locked, but it's true that TimeMachine could capture the file data while it's unencrypted. I recommend that you add an exclusion for 1Password's attachment data directory in TimeMachine until this bug is resolved. There will still be a period of time where the data will be accessible to TimeMachine, even after we do this fix. Quicklook works by having the system load a URL (a file URL to a file on disk, typically). This means that the data must be unencrypted for it be Quicklooked, and the data has to be on disk. So while Quicklook is open, TimeMachine could try to be helpful and backup the unencrypted data. If this is a security concern for you, I highly recommend excluding that directory from TimeMachine.
Rick
ref: OPM-3041
0 -
Hi Rick,
thanks for filing the bug.
If 1Password is able to choose the place for this temporary storage you could perhaps find a location which is by default not backed up by Time Machine?
I personally have no problem with these backups because they are encrypted too but I assume, that many user do not use encrypted backups.Best regards and many thanks to the whole agilebits team for the really fantastic 1Password App,
Thomas0 -
Hi @bleek,
I see Rick has also created tickets relating to Time Machine and Spotlight to crack down on this. I can't promise anything regarding ETAs but hopefully the next release will fix all of these as it isn't cool. Thank you for bringing this to our attention.
ref: OPM-3043 & ref: OPM-3045
0
