Domain names in clear text in local database. - security concern? [Rich Icons metadata]
After reviewing this article - https://www.theregister.co.uk/2017/02/28/flaws_in_password_management_apps/ and specifically this disclosure - https://team-sik.org/sik-2016-040/ I was still surprised to find that when I used http://sqlitebrowser.org/ and opened up the %localappdata%\1password\data\1Password10.cache.sqlite database and reviewed the files table I was still able to see my saved password source domain names in clear text in the relative_path column.
This 1Password10.cache.sqlite file is present even when 1password has been locked or exited.
1Password Version: 6.7.457
Extension Version: Not Provided
OS Version: Windows
Sync Type: Not Provided
Comments
-
Hi @fryrpc,
Thanks for reporting this.
That is correct, the metadata on the list of sites for which you have a Rich Icon for isn't yet encrypted on the local drive, many metadata aren't often encrypted. The same information is also exposed through your web browsers, the computer's caches and more. Some metadata are not encrypted due to the availability of the said data on the local disk. This is not a security issue but for some, privacy is part of the security features. Even if this was fully encrypted, the request made to retrieve a Rich Icon for a site you visit will still be exposed in the network traffic, so anyone who is already capable of compromising your local computer drive also can capture your traffic and get more useful information that way.
We're already in progress of cleaning this up in the next update coming soon as we're getting rid of the cache db file as part of our internal overhaul to handle binary files better for the new features coming in 1Password 6.8 and future 7.x updates. We will make sure to protect the URL metadata.
0