1Password läcker din information

Dale Myers:

For those of you who don’t know, 1PasswordAnywhere is a feature of 1Passwordwhich allows you to access your data without needing their client software. 1Password originally only used the “Agile Keychain” format to store their data (not including when they were OS X keychain only). This format basically stores your data as a series of JavaScript files which are decrypted when you supply your master password. Since the files are JavaScript and implementations of various crypto algorithms exist in JavaScript, there was no reason why AgileBits couldn’t come along and make a HTML and JavaScript client for viewing your data, so they did.

If you browse to your .agilekeychain “file” on disk, you find that it is actually a directory. Inside this directory is a file named “1Password.html”. If you access this file over HTTP (note that using the file protocol won’t work), you will be greeted with a grey page which has a lock image and a password field. Enter your password and your keychain will unlock and you have a read only view of your data.

So what’s the problem? Well, it turns out that your metadata isn’t encrypted. I discovered this after having a sync issue with Dropbox (I use Dropbox to host my keychain). The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.

Av många orsaker har jag sedan ett par år använt pwSafe framför 1Password. Jag har inte kunnat sätta tummen på varför, och det var sannerligen inte på grund av att jag ens vågade misstänka något i stil med vad Dale Myers hittade, men jag är glad att jag gick emot strömmen och valde pwSafe.

© 2018 Omsoc Publishing AB