Can a vault be compromised because of OPI-3323

hashier
hashier
Community Member

Hi,

I found the following in the change log:

  • We discovered a case where changing the Master Password of one vault could result in the Master Password being changed on a different vault. We have corrected this error. {OPI-3323}

This leads me to the think that I don't need to know the current password of a vault to change it's password. Hence I could just change any password of a any vault to something I know and therefore get a hold on the information inside that vault.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • nathanvf
    nathanvf
    1Password Alumni
    edited January 2016

    Hi @hashier,

    That is not entirely true, but I understand why you would think that. You can't change the password of a vault that you don't already have access to.

    The short answer is that once you have 1Password setup and an unlocked, you can, on a technical level make a password change.

    A little longer answer is that when you set up a Primary vault, it is unlocked with your Master Password. But when you setup a secondary vault, the Primary vault will store the keys for the Secondary Vault (and not its password) to unlock it. So essentially unlocking the Primary vault unlocks the Secondary. Having a vault unlocked is all you need to change the password of a vault. So the bug that you're talking about is basically a flawed logic where we changed the password of something that we had access to.

    So I hope it seems a bit less scary now! :chuffed:

  • hashier
    hashier
    Community Member

    Thanks for the answer and explanation.

  • On behalf of Nathan you are very welcome. :)

    Ben

This discussion has been closed.