Secuvera findings

Hello everyone,

The reported issue is classified as a “local attack,” which means a malicious actor would need to first gain access to an end user’s computer. Once a malicious actor has complete control over your device, the software on that device is vulnerable to local attacks. Using any software on a device you cannot trust is inherently risky, and we recommend ensuring you are running updated software on well-secured endpoints that you trust.

A quick refresher on how 1Password’s security model works:

• Your 1Password account password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your account password, which only you know.
• Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.

The researchers did not recover the 1Password account password from memory. In this case, researchers obtained the Secret Key, and only the Secret Key, from a device's local memory which isn’t sufficient to decrypt the data stored in 1Password since it remains protected using your account password.

Even if an attacker with control of your local device was prevented from recovering the Secret Key from memory, they would still be able to recover the Secret Key from other locations on disk. For example, from the browser's local storage if you’re using 1Password in the browser, or in OS-managed keychains.

In our security design whitepaper (pg. 82) and in our blog, we outline the limitations of protection against these local attacks where a malicious actor has control of your devices. 1Password will continue to work on increasing these protections where possible.

-Dave