First things first, if you were one of the many users of the popular 1Password password manager – your passwords were never at risk of falling into the wrong hands.
But, a Microsoft software engineer did shine a light on a potential weakness in the default file used by many 1Password users when syncing their encrypted passwords with other devices, that could expose unencrypted metadata about vault entries.
Dale Myers described his discovery in a blog post:
The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.
For those of you thinking “So what?”, perhaps you have nothing of interest in there, but there are other considerations. Perhaps I signed up for somespecificpornsite.com and this isn’t something I want to broadcast. However, I’ve done just that. Anyone who knows the link to the main log in page for my keychain can just alter the link and get this file. They can go through and find out exactly what shady sites I have accounts on, what software I have licences for, the bank card and accounts I hold, the titles of any secure notes I have, any anything else I’ve decided to store in there.
Myers reached out to AgileBits, the developers of 1Password, who said they were aware of the issue and that it came about because of design decisions made when it introduced AgileKeychain in 2008, motivated in part by performance issues.
The firm says that its new file format, known as OPVault, provides greater security and encryption, and was introduced at at the end of 2012. However, users of Android and Windows, or those who synced their 1Password vault through Dropbox, remained with the AgileKeychain format as the company “didn’t want to rush into something that would disrupt people’s workflows.”
In short, that means that many 1Password users could potentially have had metadata exposed about which sites they stored passwords for – although not the passwords themselves – if an attacker had access to their computer or Dropbox folder.
An obvious scenario where this could cause a problem would be where a partner stores passwords for a porn site, an adult dating website such as Ashley Madison, or a secret webmail account which they are conducting an illicit affair through. But I’m sure you can imagine further examples where you wouldn’t want someone else to know what sites you have stored in your password manager.
Although the most sensitive information held in 1Password’s vaults – the passwords themselves – was never at risk, it’s clearly not ideal for the private meta data about password entries to be accessible in this fashion. And it’s disappointing that AgileBits has felt unable to switch more users over to the more secure OPVault format since its introduction in December 2012.
I’ve often thought that it’s more important how a company responds to a security concern than whether it has a security concern in the first place. The issue raised by Dale Myers about 1Password may not be the most serious issue ever found in a password manager, but I watched with interest to see what AgileBits would have to say about it.
The good news is that the developers of 1Password have clearly now decided it is time to move on, and have announced in a blog post that it will be making changes to its software to adopt OPVault as the default format.
Company founder Dave Teare that the new feature may be a little time coming for users on some platforms:
“It will take time to complete the transition as there’s a lot of moving parts, especially on Android, but we’ll get there.”
In the fullness of time, the plan is to automatically migrate all 1Password users to the more secure OPVault file format. But for those who don’t wish to wait, it has provided instructions for Mac, Windows, iOS and Android users on what they can do right now.
Just be sure to backup your 1Password data before making any changes. You don’t want to make a blunder, and lose access to all of your online accounts.