The Security content of Betas 7.2.3-Beta-3 and 7.2.3-Beta-4

jpgoldberg
jpgoldberg
1Password Alumni

1Password for Mac Beta 7.2.3-Beta-3 and 7.2.3-Beta-4 (both released December 3) fixed and mitigated a security issue present from 7.2.3-Beta-0 (released November 2).

Recommended action

If you are still using any of 1Password for Mac 7.2.3 BETAs 0, 1, or 2, update to the latest beta immediately. Otherwise, there is no action you need to take.

Overview

Under some circumstances, the affected betas could have written some secrets to local log files. 7.2.3-Beta-3 fixed the logging bug, and 7.2.3-Beta-4 removes the relevant log files. Our notice about CVE-2018-19863 contains more details.

The bug we fixed was a serious error, which I do no wish to play down. However, I also want to make it clear that the damage from it is limited

  • It did not exposes secrets stored in 1Password or coming from 1Password
  • It did not expose 1Password Master Passwords or Secret Keys or encryption keys or anything of that nature.
  • It will not have affected everyone using one of the affected Betas
  • We have no reason to believe that it was known or exploited before it was discovered and fixed
  • Exploiting it would require that the attacker has significant privileges on the users machine.

OK. So now that you know why not to worry, I'll summarize what the bug did and what our fixes do.

The buggy behavior

The affected 1Password for Mac Betas would sometimes locally log information coming from Safari. So, for example, if you manually entered a username and password into a web form in Safari, then those details (including the password) may have been written to disk on your own machine.

The fixes

  • 7.2.3-Beta-3 no longer included the inappropriate logging statements.
  • 7.2.3-Beta-4 removed the log files

Because secrets may be been saved on users' disks in logs, we wanted the opportunity to remove the logs before making this issue public.

Additional actions?

Quoting from our article,

Those who want to verify that no secrets remain in log files may inspect the content of any files in the folder:

~/Library/Containers/com.agilebits.onepassword7.1PasswordSafariAppExtension/Data/Library/Logs/1Password
These log files are not typically included in most backups.

This discussion has been closed.