1Password läcker din information
If you browse to your .agilekeychain “file” on disk, you find that it is actually a directory. Inside this directory is a file named “1Password.html”. If you access this file over HTTP (note that using the file protocol won’t work), you will be greeted with a grey page which has a lock image and a password field. Enter your password and your keychain will unlock and you have a read only view of your data.
So what’s the problem? Well, it turns out that your metadata isn’t encrypted. I discovered this after having a sync issue with Dropbox (I use Dropbox to host my keychain). The file that had issues was
1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.
Av många orsaker har jag sedan ett par år använt pwSafe framför 1Password. Jag har inte kunnat sätta tummen på varför, och det var sannerligen inte på grund av att jag ens vågade misstänka något i stil med vad Dale Myers hittade, men jag är glad att jag gick emot strömmen och valde pwSafe.