Bug with multiple account owners - holding data hostage

natehouk
natehouk
Community Member

This is definitely a flaw in design..

1) User 1 (who is an account owner) creates a new vault named Banking
2) User 1 destinies a second user named User 2 as an account owner
3) User 2 logs in and goes to mange vaults
4) User 2 remove access for User 1 to Banking
5) Note that neither user can grant themselves access to Banking

Now NEITHER owner has access to the vault yet neither owner can grant themselves access. In the case of two owners who are hostile towards each other, data is now being kept captive. I can think of numerous scenarios where this could be a serious issue.

For example:

User 1 shares banking personal details in a shared vault titled Banking
User 1 designates User 2 as an account owner to enable recovery
Neither User 1 nor User 2 know each others passwords
User 1 and User 2 get divorced
User 2 revokes access to vault Banking to User 1
User 1 revokes access to vault Banking to User 2

Neither can access vault Banking and the two parties are not cooporating.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Aleen
    Aleen
    1Password Alumni
    edited April 2016

    Hi @natehouk,

    Thanks for pointing this out! We're aware of the issue and are working on closing that loop.

    Please let us know if you have any other suggestions!

    ref: B5-977
    ref: B5-1258

This discussion has been closed.