Security Bug? 1Password requires access to www.carshowrooms.com.au

stephen, if i deny it access the images in the splash screen don't load. even if i do, i never get the application main window after that, so I am unable to check if I have that page saved. But even if I have that page saved, why would it want to open it at launch?

Note, this is hapening after an upgrade from Mavericks to Yosemite after which I was required to reinstall 1Password. Under Mavericks I never got these issues. I have not installed anything in between, and I am generally pretty careful with what goes on my Mac, so I doubt it's a trojan.

Ok, I think I know what is going on now, and perhaps it's only 50% 1Password's fault, 40% Little Snitch's fault, and 10% user error (feel free to adjust the % as you see fit)

Please correct where my analysis is wrong here:

So, as I see it and in the screen shot below, 1Passwords "Welcome Screen" is in a browser window, and it pulled down live from the web when ever it is required to be shown.

It would appear also that, the content of said "Welcome Screen" is hosted on a cloudfront server, which carshowroom.com.au is also hosted at. In a reverse IP lookup, Little Snitch thinks 1Password needs to connect to carshowroom.com.au when it is actually a cloudfront shared storage.

Note: cloudfront is Amazon AWS, so, not an unlikely scenario.

I can also semi-replicate the issue by disabling my network connection. If I terminate my network, then I get no splash screen at all.

So, the issues here (as I see it)

1. Little Snitch incorrectly identifies the source by reverse ip lookup
2. Agile Bits Welcome Screen requires an active connection to display the Welcome Screen, pulling images from Amazon Cloudfront
3. Even after the Welcome Screen is cleared, the main app is non functional

I'm not sure the best way to solve this, but perhaps it would be better if Agile Bits hosted the splash screen images, or better yet, it was static in the App?

Issue #3 appears to be the subject of a new discussion.

Cheers stephen

Rich Icon's are disabled:

best I can see it's a reverse IP lookup issue - but I would very much like confirmation from Agile Bits if possible.

Niklas, I appreciate where you're coming from, and it's definitely not the case thats its a /etc/hosts or dnscache issue.

As you can see in the screenshot above, an nslookup on static.parseley.com produces many cloudfront responses, one which matches what Little Snitch thinks the IP maps to.

As I've said above, I strongly believe that this is caused by Agile Bits hosting their Welcome Splash screen page in Amazon's AWS which happens to produce other URLs when an IP reverse look up happens. Which is understandable as Amazon AWS is a very popular cloud service. However, Agile Bits should handle this better, particularly as they are a "secure application".

Note also, that I place 40% blame on Little Snitch and 10% on me. However I would really like this confirmed by an employee at Agile Bits, and if I am wrong, I would like a better explanation.

@Xe997 thanks for the response - as you can see in post #8, rich icons are disabled :)

@Rad Awesome, thanks for the response. I question whether this is a good UX decision, for the following reasons:

1. As posted here, there is a question as to where assets are coming from - yes, this is a Little Snitch issue in the main (a bug report has been filed!) but it does lead to confusion for users who may be using Little Snitch (or any other similar product) which would alert them to assets coming from a strange URL. As you can see, I have been able to back track and determine that it's not a major problem - but a less technical user might not. Further as you can see in post #7 from Stephen, he has immediately come in with a threat of a Trojan hijacking connections! Somewhat alarmist and would potentially lead a non tech user down a blind path of reinstalls etc, etc when no threat exists. *
2. In the case that I install 1Password and then do not have an active connection, the "Welcome" screen I see is shown in Post #5 - a blank screen! This is not a very helpful or useful situation for a new user - 1Password does not (essentially) require a network connection, but the first impression a new user without a connection will see won't be friendly! Sure it's unlikely to happen, and you had a network connection when you downloaded the app from the app store etc. But it does happen, and there is no default page to display, even. In my opinion, an optimal solution might be - if a network connection exists, download the latest page, if no connection exists, then display a default with a link to the latest page that the user may open in a browser. I would also prefer the assets be hosted on a connection with an AgileBits URL to avoid the issues I've found here.**

* I agree this would be a snowball situation, but it's a plausible scenario - further we don't want to be encouraging users to blindly accept connections - even if they are genuine. And once again, yes! this is an issue with Little Snitch, but I found nothing to tell me that 1Password would require a connection to CloudFront, a lot of people wouldn't know what cloudfront is, and i would hope, they would question the connection. So, yes there is a lot that is outside of 1Password's realm, but I think there are some improvements that 1Password (and Little Snitch) can make to improve the user experience.

** I understand entirely why you would host the welcome page remotely and why cloudfront is a good solution - As I've said multiple times in this post, I think there is some improvements to the UX and the customer information that could be made.

Lastly @Rad - Do you agree with my analysis of the situation and thus I can reasonably conclude my connection is not being hijacked?