Surprising security issue with shared folder
Hi, just as I was feeling more confident with 1P families and so added another family member to our account I (or my sister in law) spotted what we consider a security issue.
I was showing her assigned vaults - Personal, Holidays and Shared and how there were a few things already in the shared vaults that my wife and I had set up. However she spotted that when she clicked on the Shared vault the Trash icon (which I think is only visible in the OS X app?) had 53 items in it. I was surprised, and When we looked these were things that I had moved to other folders while I was figuring out a good structure for the wider family.
Comparing these items to their counterparts in other vaults, they are current logins and things I didn't necessarily want my sister in law to access. I have a hunch that when you move an item to another vault it's actually a delete and add operation internally and as such it keeps a copy in the trash - although in the case of shared, this deleted copy is still public in the trash. I'm not convinced this is what users would expect (it certainly hadn't occurred to me that moving it somewhere less accessible would leave this copy around, and it wouldn't occur to me to empty the trash can to prevent this).
I think this behaviour needs a rethink. At the very least make the trash can an admin only accessible location - or don't consider a move as a delete+add operation.
Tim
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @365nice,
I agree that it would be good for us to do better with this case, and that it feels unnatural for the items to linger around in the trash. We have a few ideas for how we could do better, but so far none have felt good enough to start down the path of implementation. I'm confident that eventually we'll figure it out.
There's a couple issues that bite us here. The biggest one is that when we designed sync for 1Password.com, we decided that the apps shouldn't be responsible for deleting items. That the only time a device should delete an item is when the server has told it to. So when you're doing Empty Trash on a 1Password Families vault, what you're really doing is asking the server to empty the trash, and then the server tells the apps to follow along. You can actually verify this by disabling your internet connection and trying to empty the trash, you should get an error message. Doing it this way allowed us to bypass all sorts of problems, but it has some downsides.
What we would need in this case is a way for the app to tell the server that you'd like to move the item, and the server could trash/delete the item for you. That's relatively straight-forward for us to do. The reason we haven't done that yet is that it wouldn't work when you're offline. When you're offline you would end up in a situation where you the user would expect the item to vanish, but the app has no real way of making that happen on its own because it couldn't ask the server to do it for you.
There's workarounds for all of this... for example we could have the app leave the item in the local database, but not show it to you, and wait until you have a network connection in order to ask the server to do the actual deleting. I think that the eventual solution will resemble that. So far the designs we've had for the solution haven't seemed right to us and added a lot of complexity.
We have other ideas for how to approach this kind of thing (moving items across vaults/accounts) completely differently which might also impact this.
This problem is definitely one we're aware of and want to make better.
Rick
0 -
Hi thanks, I'm glad to hear you had thought about it. For now I will clear the trash on my shared folders - but a better solution for you is desirable as on the surface it looks like a security issue (I'm assuming a full team account, which our company uses, has a similar issue and this will need careful education as it has more severe consequences in terms of corporate access).
I do wish you had called this out better to admin's/account owners though - if it's a known problem with tricky consequences (particularly for teams) it would have been good to know to pay attention.
Tim
0 -
Thanks again for the feedback Tim. :)
0 -
Is there any movement on this? I see you fixing bugs and adding features but this one is a really important issue particularly for teams trying to collaborate but also maintain a level of security between each other?
0 -
We're rethinking this as Rick mentioned. I hope we'll have more to share soon. Thanks for checking in. :+1:
0