AgileBits response to TeamSIK report on Android version? [https://support.1password.com/kb/201702a/]

lrosenman · March 2017

https://team-sik.org/trent_portfolio/password-manager-apps/

Any comments from AgileBits on the above?

.

AgileBits Update:

AgileBits has released our response on our knowledge base. The article is available here:

TeamSIK report on 1Password for Android (February 2017)

Ben · March 2017

Hi @lrosenman

If you look at the reports for 1Password each of them indicate the issue cited has been fixed. :)

Ben

lrosenman · March 2017

Thanks -- Just making sure :)

I just glanced over it, and wanted an "official" answer. Great to see y'all handled it quickly and appropriately.

Good Job!

XIII · March 2017

While I don't have any Android devices (and don't plan to get any) I would like to know about the AgileBits response to this TeamSIK report:

https://team-sik.org/trent_portfolio/password-manager-apps/

Where can I find that?

XIII · March 2017

Ah, I missed this post somehow: :(

https://discussions.agilebits.com/discussion/76011/comments-on-team-sik#latest

(my topic can be closed - if the forum software allows that)

DanielP · March 2017

Hi @XIII,

We also have an official knowledge base article with our responses which you might find useful :)

DanielP · March 2017

Hi @lrosenman,

We also published this knowledge base article with our responses ;)

jmbrasil · March 2017

http://thehackernews.com/2017/02/password-manager-apps.html

DanielP · March 2017

Hi @jmbrasil,

All the issues reported have been already fixed in 1Password for Android soon after they were reported to us. You can read more about that here ;)

Let me know if you have any questions!

jmbrasil · March 2017

Thank you for clarify!

Rediwed · March 2017

According to recent studies, 1Password is one of nine password managements apps that has security issues in lesser or greater severities.
TeamSIK (a german researching team) has found five security flaws (https://team-sik.org/trent_portfolio/password-manager-apps/), 1 of which is high in severity.

SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
SIK-2016-041: Read Private Data From App Folder in 1Password Manager
SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager

My question is whether 1Password is aware of these issues and whether you're already working on a update (or might already have released such update).

Thanks in forward & have a great day!

Rediwed

1Password Version: Newest android beta
Extension Version: Not Provided
OS Version: Android 7.1.1
Sync Type: 1P Accounts

Ben · March 2017

On behalf of Daniel you're most welcome. :)

Ben

XIII · March 2017

Yes, thank you. The kind of response that increases trust in AgileBits/1Password. Thanks!

Krzysiek · March 2017

Hi,

Can I ask somebody from 1Password Team to comment following articles about security:

http://thehackernews.com/2017/02/password-manager-apps.html

Subdomain Password Leakage in 1Password Internal Browser
HTTPS downgrade to HTTP URL by default in 1Password Internal Browser
Titles and URLs Not Encrypted in 1Password Database
Read Private Data From App Folder in 1Password Manager
Privacy Issue, Information Leaked to Vendor 1Password Manager

https://team-sik.org/trent_portfolio/password-manager-apps/

SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
SIK-2016-041: Read Private Data From App Folder in 1Password Manager
SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager

???

XIII · March 2017

You are not the first to ask today... (neither was I...)

https://support.1password.com/kb/201702a/

Ben · March 2017

:+1: :)

Ben

sjk · March 2017

Hey @XIII,

Ah, I missed this post somehow: :(

https://discussions.agilebits.com/discussion/76011/comments-on-team-sik#latest

(my topic can be closed - if the forum software allows that)

No worries! Instead, I've merged the two discussions. :)

sjk · March 2017

Hey @jmbrasil and @Krzysiek,

Your questions/comments have now also been merged into this related discussion. Cheers! :)

Ben · March 2017

Hi @Rediwed,

I've merged your post into an existing thread on the same topic. Please see above. :)

Ben

prime · March 2017

I see you guys are busy!

Just wondering, do you guys also scan the dark/deep web for issues?

GoShawn · March 2017

Hi,

Have you seen this write up: http://thehackernews.com/2017/02/password-manager-apps.html ?

The report, published on Tuesday by a group of security experts from TeamSIK of the Fraunhofer Institute for Secure Information Technology in Germany, revealed that nine of the most popular Android password managers available on Google Play are vulnerable to one or more security vulnerabilities.

I'm not saying the sky is falling or anything like that, but I am curious if you've had a chance to review and perhaps rebutt any of the findings.

I work in IT Security and understand context is king, and not everything noted in any finding is "bad," without context.

It would be great if AgileBits could reply, perhaps with a blog post of it's own?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Security flaws in 1Password

GoShawn · March 2017

I should also point out that TeamSIK tested v 6.3.3. and not the latest version 6.6.3 that I'm running.

Really hope they reached out to you before publishing these results. That would be the professional thing to do.
--shawn

prime · March 2017

@GoShawn This is already talked about. All has been fixed.

https://discussions.agilebits.com/discussion/76011/agilebits-response-to-teamsik-report-on-android-version-https-support-1password-com-kb-201702a#latest

sjk · March 2017

Hi @GoShawn,

I've merged your posts into this discussion that @prime referred to; hope you don't mind. :)

… and not the latest version 6.6.3 that I'm running.

Version 6.5.1 is currently the latest release of 1Password for Android. Not sure which version you're running since 6.6.3 doesn't exist for 1Password on any platform at the moment.

sjk · March 2017

Hi @prime,

Just wondering, do you guys also scan the dark/deep web for issues?

Someone else would be more qualified than I am to answer that. :)

GoShawn · March 2017

Nope, not at all.

Although scanning the 1P app vs. addressing the findings are different topics.

Re: 6.6.3, it was a typo.

I'm running 6.6 (Mac App Store) on one of my Macs, and 6.6.1 from the AgileBits store on another.

Ben · March 2017

@GoShawn,

Did you get a chance to read this article? https://support.1password.com/kb/201702a/

I'm not really sure I understand this comment:

Although scanning the 1P app vs. addressing the findings are different topics.

I may be missing some context.

Ben

GoShawn · March 2017

@Ben,

Context is always important. Please let me clarify:

a - @Prime asked, "just wondering, do you guys also scan the dark/deep web for issues?"

b - TeamSIK didn't offer any real information regarding their, "security analysis," so it leaves a lot of questions in my mind regarding their testing methodology.

So my comment is two fold

1 - AgileBits likely tests it's software using a variety of manual and/or automated methods with a focus on your products and hopefully leveraging 3rd party companies for occasional review as any reputable software security company would do. I doubt you are spending a ton of time "scanning the dark web for issues," but you might be scanning your own code. :-)

2 - a full blown, end-to-end, penetration test of an application/service, including front end apps (1Password app for various platforms and the Web App) and back end service (e.g., the menagerie of hardware, software etc. that make up 1Password for Families and Teams) is much different than running a vulnerability scan of an application itself.

Perhaps I was jumping the gun and my comment should have been put out to pasture. Apologies for that.

--Shawn

DanielP · March 2017

@GoShawn

Agreed, your points make perfect sense. I am sure that by now you have had the chance to read our official knowledge base article after TeamSIK's reports (Ben linked it in his last comment here), but because you mentioned third-party audits, I thought you might like taking a look at this other article too ;)

In summary: you are right, we do not focus on the app code alone, our testing goes way deeper than that.

jackiam · March 2017

Please comment on this issue.
http://thehackernews.com/2017/02/password-manager-apps.html

But what if your Password Managers itself are vulnerable?
Well, it's not just an imagination, as a new report has revealed that some of the most popular password managers are affected by critical vulnerabilities that can expose user credentials.

1Password – Password Manager
Subdomain Password Leakage in 1Password Internal Browser
HTTPS downgrade to HTTP URL by default in 1Password Internal Browser
Titles and URLs Not Encrypted in 1Password Database
Read Private Data From App Folder in 1Password Manager
Privacy Issue, Information Leaked to Vendor 1Password Manager

More info https://team-sik.org/trent_portfolio/password-manager-apps/

!! Update 2017-03-01: All reported vulnerabilities are fixed by the vendors !!

1Password Version: 6.6
Extension Version: 4.6.3
OS Version: macOS 10.12.3 (16D32)
Sync Type: iCloud

firebeyer · March 2017

Hey @jackiam,

AgileBits has an official kb article with their responses which you might find useful :chuffed:

Also I believe these were vulnerabilities on the Android version not the iOS version.

Cheer,
Andrew

AgileBits response to TeamSIK report on Android version? [https://support.1password.com/kb/201702a/]

TeamSIK report on 1Password for Android (February 2017)

Comments

!! Update 2017-03-01: All reported vulnerabilities are fixed by the vendors !!