Article: "Security slip-ups in 1Password and other password managers 'extremely worrying'"

sjmagy
sjmagy
Community Member
in Mac

Hello. I read this article from yesterday https://www.theregister.co.uk/2017/02/28/flaws_in_password_management_apps/ which links to https://team-sik.org/trent_portfolio/password-manager-apps/

I know it states the 1Password vulnerabilities they disclosed were specific to Android and were previously fixed, but as a long-time 1Password user for Mac and iOS, it has me wondering whether my platforms of choice were also vulnerable. Can someone address the security questions / concerns specific to 1Password and specify whether they have also been fixed in the Mac and iOS versions (or didn't exist in the first place)? Thank you.

1Password Version: 6.5.3
Extension Version: 4.6.3
OS Version: 10.11.6
Sync Type: prefer not to say

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sjmagy: Great question! I don't think speculation is particularly helpful when it comes to security. Fortunately we don't have to. TeamSIK performed an analysis of 1Password for Android version 6.3.3 at the beginning of September last year, and the particular issues they reported to us did only apply to 1Password for Android (addressed in version 6.4.1 on September 27, 2016). You can read more details in our knowledgebase:

    TeamSIK report on 1Password for Android (February 2017)

    With regard to other platforms, a vulnerability was found on Windows last year that could allow an attacker using another user account on the same machine to connect to 1Password, and we added mutual authentication (the code you need to confirm to validate the browser connection) to address this issue. It wasn't shown to be necessary on macOS, but just for good measure (and consistency) you'll have noticed that we're using it there as well.

    There have been other issues found over the years, and no doubt there will be others. So we work closely with security researchers and independent auditors who discover flaws to get them fixed quickly, and have a bounty program to encourage others to hammer away at our software and system to discover any weakness. Suffice to say, this is pretty much all we do, and we love it, so be sure to let us know if you have any other questions. :)

  • sjmagy
    sjmagy
    Community Member

    @brenty Thanks for the thorough response; it answers my questions.

    I tried searching the support articles before posting but it kept coming back with "no results" no matter what term I used, so the "TeamSIK report on 1Password" link you provided was impossible to find myself (hence the reason I posted the question). Reading that article though, I followed the link to the page about Third-Party Audits (https://support.1password.com/security-assessments/), and noticed some referred to the 1Password Teams infrastructure; is that the same infrastructure used by the new subscription-based pricing model?

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @sjmagy,

    Sorry you weren't able to find that article when searching for it! I'll let our docs team know.

    ...and noticed some referred to the 1Password Teams infrastructure; is that the same infrastructure used by the new subscription-based pricing model?

    Yes, that's correct: We originally developed the 1Password Teams subscription service, and later started the Families and individual subscriptions which use the same infrastructure.

    We're here for you if you need anything else. Have a great weekend! :)

This discussion has been closed.