Android beta 7.6.1.BETA-1 critical authentication bypass.

DariusR
DariusR
Community Member
edited June 2020 in Android

Hey AgileBits beta Android team,

I emailed support+security@1password.com yesterday about a fairly severe/critical security flaw in the Android beta which allows for a persistent bypass of authentication to access login/password information from anywhere in Android OS.

It's possible after unlocking the database for the first time to trigger a scenario in which all logins/passwords are available via the autofill suggestions without any further password or biometric. The problem can only be cleared with a phone reboot or by force stopping 1Password.

I never received an auto response and became concerned that the email wasn't received because I didn't initiate it from within the app.

I've now reproduced the flaw on two different phones and two different versions of Android.

Figured I would receive a response back pretty quickly given the severity. I can imagine an exploit hypothetically trying to skim an entire database with this persistent authentication bypass.

Can someone get in touch?

I have additional information to provide but can't do so until I receive a response with the ticket ID.

Comments

  • Thanks @DariusR, I can confirm that we've received your email and we'll respond to you there ASAP :+1:

  • DariusR
    DariusR
    Community Member

    Thanks @andiAG

    Replied to your email with the additional details.

    I'll switch back to the Android Beta once this is sorted.

    Cheers
    Darius

  • Got it, thanks :)

This discussion has been closed.