Can a vault be compromised because of OPI-3323
Hi,
I found the following in the change log:
- We discovered a case where changing the Master Password of one vault could result in the Master Password being changed on a different vault. We have corrected this error. {OPI-3323}
This leads me to the think that I don't need to know the current password of a vault to change it's password. Hence I could just change any password of a any vault to something I know and therefore get a hold on the information inside that vault.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @hashier,
That is not entirely true, but I understand why you would think that. You can't change the password of a vault that you don't already have access to.
The short answer is that once you have 1Password setup and an unlocked, you can, on a technical level make a password change.
A little longer answer is that when you set up a Primary vault, it is unlocked with your Master Password. But when you setup a secondary vault, the Primary vault will store the keys for the Secondary Vault (and not its password) to unlock it. So essentially unlocking the Primary vault unlocks the Secondary. Having a vault unlocked is all you need to change the password of a vault. So the bug that you're talking about is basically a flawed logic where we changed the password of something that we had access to.
So I hope it seems a bit less scary now! :chuffed:
0 -
Thanks for the answer and explanation.
0 -
On behalf of Nathan you are very welcome. :)
Ben
0