Security notice: Logging in versions prior to 0.0.2

jpgoldberg
jpgoldberg
1Password Alumni
edited August 2017 in CLI

Earlier today we emailed people who was provided early access to our 1Password CLI tool about a security and privacy issue with the op tool: It may have logged sensitive information to a local disk and was creating a log file with insecure permissions.

Recommended Action

You should inspect the $HOME/op.log file for sensitive information, after which you should remove it. Consider who may have had access to the file, including backups.

The Bugs

There are two security bugs that we are addressing.

The first is that logs were written to $HOME/op.log with 0666 permissions. Depending on the user's umask settings and the accessibility of their home directory, the file may be readable by others on the system.

The second bug is that far too much information has been written to this log file in the user's home directories. We do not believe that any decrypted item details (such as passwords, secure notes, etc) has been logged, but other potentially sensitive information may have been.

Discussion

At this point we have not confirmed that any user secrets (such as passwords, contents of secure notes, etc) have been written to the log, but certain potentially sensitive data about items, vaults, and accounts is likely to have been written. This would include things like names of vaults, user's email address, titles of items and so on.

These bugs were identified internally by AgileBits on 29 May, 2017, and the binaries removed from our download services. An updated version of op has been released which and it's extremely conservative about logging. You can find download links in this announcement.

We have been investigating the root and proximal causes of our blunder.

In the broad terms it appears that we (a) failed to properly transition from debug and developer-use-only tools to something to be used by others, and (b) failed to follow appropriate internal development practices in debugging and code review. We deeply apologize for our errors, and we will follow through to gain a better understanding what went wrong.

If you have any questions, please don't hesitate to reach out.

Sincerely,

Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
https://1password.com

This discussion has been closed.