Article just published in Washington Post is saying 1password and others have security flaws

17891012

Comments

  • @brenty: we're no longer in the realm of likelihood during normal operation of the OS. That's like saying that AES is broken because at some point in the future someone may find a flaw or just be able to brute force it using technology which does not today exist.

    That's not an accurate assessment though. While a publicly accessible method of breaking AES encryption is, for the large part, unavailable and may not even exist right now for AES-256 - privilege escalation malware is a very common thing out there (and a real threat today).

    I'm not sure how these two threats (one imaginary, one present and realistic) are comparable. @bkh's original post was asking about current threats that people can encounter today, right now, and that's categorically different from an imaginary AES decipher.

  • @brenty Thank you for your reply.

    I admit I'm not sure what you're asking here. Can you elaborate?

    I was (and am) surprised that there are only two entries in JSON format (in plain text; maybe more in some binary format?) in the entire dump file and both entries are for 1Password itself (all the data I listed).

    I'm curious why it's only those. Maybe I should try a Watchtower check and dump again to see whether anything changes?

    (I don't have access to that Windows PC for several hours)

  • brentybrenty

    Team Member

    the "great article" that you refer to actually acknowledges this

    @gazu: That's been mentioned numerous times in this discussion already. If derek328 keeps saying his piece and you keep saying this, we're just going to be going around in circles forever. Let's break the cycle and just agree to disagree if necessary. :crazy:

  • brentybrenty

    Team Member

    That's not an accurate assessment though. While a publicly accessible method of breaking AES encryption is, for the large part, unavailable and may not even exist right now for AES-256 - privilege escalation malware is a very common thing out there (and a real threat today). I'm not sure how these two threats (one imaginary, one present and realistic) are comparable. @bkh's original post was asking about current threats that people can encounter today, right now, and that's categorically different from an imaginary AES decipher.

    @derek328: Fair enough. Maybe you know something I don't. But I'm not aware of unpatched vulnerabilities of that kind at this time. Certainly new ones could be discovered though, which was the point of my AES comparison, though I will grant you that the time scale is probably very different.

  • brentybrenty

    Team Member

    I was (and am) surprised that there are only two entries in JSON format (in plain text; maybe more in some binary format?) in the entire dump file and both entries are for 1Password itself (all the data I listed). I'm curious why it's only those. Maybe I should try a Watchtower check and dump again to see whether anything changes? (I don't have access to that Windows PC for several hours)

    @XIII: Ah! I understand completely. Thank you! Indeed, that's the thing that sucks about all of this, it's just non predictable. It would be much better for all of us if it were possible to say something like "if you do X then Y data will remain in memory for Z time". That's much more manageable, both technically and at a cognitive level -- much less frustrating, as everyone could make decisions based on that understanding. I just don't have a good answer for you there, though I do suspect you would get different results after a Watchtower update, especially if something changed and the check had to be performed against the database again. Again, I'm sorry I can't offer you more than than. :blush:

  • @brenty Thank you very much for your reply. I know it must be very busy for you guys in the last couple of days, and I totally understand you guys will need some time to think of a strategy to cater for that. What I wanted to emphasise is the high risk of exposure due to the low barrier of attack and high value of the target.

    There are varying degrees of compromise, of course, but we should assume that if someone has gone to the trouble to create malware for you to infect yourself with, they're going to do their best to use any foothold they gain, whether that's just monitoring the clipboard (with very limited privileges) or installing a rootkit (if they have sufficient access).

    Because this attack does not require privilege escalation, nor exploit any OS security vulnerabilities, nor stay in memory as a background process, its behaviour would be very similar to normal apps, and make it hard for antivirus or HIPS applications to detect. The attacker doesn't need to target any specific person. He just need to distribute the program as a game, a utility tool, or even embed it in an existing legitimate app, and then sit and wait for data to flow in. There is no remote control, no further compromise, and little to no footprints on the system during the entire attack session.

    It's true that some clipboard monitoring tools don't necessarily need privilege, but that has severely limited its capability to gather the valuable information. It has to stay undetected for a long time, and if it's lucky, steal the password while you copy and paste. But with password manager extensions like 1Password X in Chrome, passwords are no longer filled using clipboard, further reducing its capabilities. That's why hackers won't bother with these little tricks nowadays.

    Password managers are an entirely different kind of targets. It not only stores credentials for websites, it also includes legal documents, passports, bank account and passwords, credit cards, medical files, and much more. Any of this can be classified as SPI (Sensitive Personal Information). In addition, people can store job-related secrets in it, such as company VPN credentials, production server credentials, trade secrets and patterns. It is virtually a invaluable information warehouse, with every kind of information being the target of hackers for decades. In the old days, hackers design sophisticated malware, rootkits, key loggers, or remote control agents to penetrate user's machines, but because sensitive information are scattered in a number of places, information gathering is limited and require huge human efforts. But with this vulnerability, hackers just need to hide a small un-elevated program to be executed, and then wait to collect this huge collections of high-value secrets to compromise not only a person, but a company, or even a country.

    If you want people to put so many secrets in your app, you have got to do everything in your power to keep it secure. This vulnerability is a single point of failure in the entire security system in the digital world. It is so easy to exploit, yet has so much value. I bet it will become a very hot target in the coming years in the security industry. If the current technologies in the market cannot support the centralised management of so many secrets, then I think the time for password managers are still yet to come.

    I disagree with this wholeheartedly. Someone using 1Password is not more at risk than someone who is not. Even the researchers recommend that we continue using our password managers.

    I was not saying we shouldn't use 1Password, or password managers in general. In fact, I am quite an advocate of password managers and especially 1Password. I was simply suggesting people not using a broken software that is known to leak secrets until it's fixed. That's why I was saying using 1Password X with Chrome instead of the Windows app for the moment, because Chrome has better memory protection than the 1Password Windows app, which you also agreed. Having secrets scattered in different places is no worse than having all secrets store in one place and leak them to an attacker in an easy attack.

    I hope you understand my concern as a software developer and a heavy user of 1Password. If I don't want to use your app anymore, I would not spend 40 minutes writing this thing.

    Thanks again.

  • brentybrenty

    Team Member

    Thank you very much for your reply. I know it must be very busy for you guys in the last couple of days, and I totally understand you guys will need some time to think of a strategy to cater for that.

    @alexyang: Likewise, thanks for your patience and willingness to have a dialogue. Indeed, it's good to be busy because that means people care about 1Password, but...yeah, I think in a perfect world all involved would be better off not having to worry about something like this. :)

    What I wanted to emphasise is the high risk of exposure due to the low barrier of attack and high value of the target.

    I'm really sorry to belabour the point, especially because I understand the objections to this, but this is exactly our concern: you're not wrong, but there is a very low risk of exposure except in a situation where the machine is compromised, either locally or remotely. I get that the conversation doesn't stop there, but it's really important that we don't blow this out of proportion. For the average person who is security conscious and practicing good hygiene, they're still better off using 1Password or another password manager in the list than not, because the alternative is, in most cases, not having anything encrypted at any time and using the same crappy passwords we all used to when we didn't know any better. No one's 1Password data is going to spontaneously end up in the hands of bad guys. I know you're not suggesting that, but someone reading a discussion like this and not understanding the full context or all the particulars sees words like "leak", "exposure", "hack", etc. and gets that impression. That's why we're so tiresome about reiterating this point. Thanks for bearing with us.

    Because this attack does not require privilege escalation, nor exploit any OS security vulnerabilities, nor stay in memory as a background process, its behaviour would be very similar to normal apps, and make it hard for antivirus or HIPS applications to detect. The attacker doesn't need to target any specific person. He just need to distribute the program as a game, a utility tool, or even embed it in an existing legitimate app, and then sit and wait for data to flow in. There is no remote control, no further compromise, and little to no footprints on the system during the entire attack session.

    While I don't agree with using the term "attack" since there is not one as far as we know, you raise good points. I'm sorry that we don't have a solution to that currently. Ironically, 1Password already often gets flagged by antivirus software because of it's use of encryption (which I can only guess is triggered by heuristics meant to catch ransomware). We need to move toward more aggressive handing of unencrypted data, and that will probably result in more false positives, but there will always be tradeoffs.

    It's true that some clipboard monitoring tools don't necessarily need privilege, but that has severely limited its capability to gather the valuable information. It has to stay undetected for a long time, and if it's lucky, steal the password while you copy and paste. But with password manager extensions like 1Password X in Chrome, passwords are no longer filled using clipboard, further reducing its capabilities. That's why hackers won't bother with these little tricks nowadays.

    Very true. I didn't have passwords specifically in mind with the clipboard thing, but I should have been more clear about that. Anyway, you're right.

    Password managers are an entirely different kind of targets. It not only stores credentials for websites, it also includes legal documents, passports, bank account and passwords, credit cards, medical files, and much more. Any of this can be classified as SPI (Sensitive Personal Information). In addition, people can store job-related secrets in it, such as company VPN credentials, production server credentials, trade secrets and patterns. It is virtually a invaluable information warehouse, with every kind of information being the target of hackers for decades. In the old days, hackers design sophisticated malware, rootkits, key loggers, or remote control agents to penetrate user's machines, but because sensitive information are scattered in a number of places, information gathering is limited and require huge human efforts. But with this vulnerability, hackers just need to hide a small un-elevated program to be executed, and then wait to collect this huge collections of high-value secrets to compromise not only a person, but a company, or even a country.

    You're right of course, though I think you're running the risk of hand-waving the part where someone needs to download and install the malware, which needs to get past antivirus at that point and not get detected reading all that memory, just as we're sort of hand-waving the part where 1Password just needs to clear memory, etc. It's complex on both sides, but that's not to say that it's not important for us to do more to keep your data safe, just because attackers have to work at it too.

    If you want people to put so many secrets in your app, you have got to do everything in your power to keep it secure. This vulnerability is a single point of failure in the entire security system in the digital world. It is so easy to exploit, yet has so much value. I bet it will become a very hot target in the coming years in the security industry. If the current technologies in the market cannot support the centralised management of so many secrets, then I think the time for password managers are still yet to come.

    I have no doubt that we'll see malware that targets password managers at some point, and you're right that we need to continue to do more, even if I end up being wrong about that. Better safe than sorry.

    I was not saying we shouldn't use 1Password, or password managers in general. In fact, I am quite an advocate of password managers and especially 1Password.

    I understand completely. Thank you.

    I was simply suggesting people not using a broken software that is known to leak secrets until it's fixed.

    This is the thing that's the problem for me. We can argue back and forth about whether or not 1Password (and all password managers, and other apps, allowing the OS to manage their memory) meets someone's definition of "broken", or about there being a "leak". I'd argue that's not the case, but I think you also can have a good case if you define things a bit differently. What I'm concerned about is that rhetoric like that says to most people "don't use a password manager", when that's really the opposite of the message that either of us wants to convey. I'm sorry to be a pain about that, but I hope you get where I'm coming from. I definitely appreciate your position. Again, my concern is that the message many people are receiving as a result of coverage of what is actually a really solid research paper which comes to the conclusion that we should all use password managers, but that password managers need to get better, is "don't use a password manager"; and that's not going to help anyone. Heck, what's the point of improving 1Password if nobody uses it because they've been scared off? So I think that we need to be careful about overstating things.

    That's why I was saying using 1Password X with Chrome instead of the Windows app for the moment, because Chrome has better memory protection than the 1Password Windows app, which you also agreed. Having secrets scattered in different places is no worse than having all secrets store in one place and leak them to an attacker in an easy attack.

    I"m not sure I understand the last bit there, but yes browsers have some great security measures in place because they've grown up in such a hostile environment. If Windows and macOS had first been created early this century I think it would be an entirely different story. :)

    I hope you understand my concern as a software developer and a heavy user of 1Password. If I don't want to use your app anymore, I would not spend 40 minutes writing this thing. Thanks again.

    100%. Thank you. <3 We're really lucky to have not only passionate users, but also some really knowledgeable ones -- with a special thanks to you, DMeans, gazu, derek328, and others here I'm missing who have been contributing. I'm enjoying the current discussion, but I'll look forward to when we have more information to share on this matter.

  • @mzman yeah, it's an insane vulnerability and honestly i said the same thing. an encrypted Office 365 document may offer more security right now imo.

  • LarsLars Junior Member

    Team Member
    edited February 26

    @mzman (edit - and, it looks like @derek328 as well! :) ) - I appreciate your suggestion that we re-code our entire app in a different programming language and remove large chunks of its UI and functionality, but since neither of these approaches are anything that would be possible quickly, I recommend anyone who believes what you've just said you believe (that 1Password is adding no practical security to your passwords and that security through obscurity would be better/preferable) go with their instincts and use whatever alternative method seems most secure to them. To you. I think an honest read through the thread should serve to show that those claims aren't even close to accurate, but obviously when it comes to one's own digital security, each person's responsible for pursuing what they think best. Indeed, my recommendation is essentially what we've always said: that we're glad there's competition in the password manager space, and that security is a process and not a product (any one product, including ours), so if people believe other options work better for their personal needs or their estimation of their own security, then by all means, go pursue those, with our blessing. As long as people are using something better than sticky notes on their monitors or re-using the same half-dozen passwords because that's all they can remember, we'll be happy. Thanks for your comments. :)

  • edited February 26

    @gazu

    1Password data can only be read from the memory if you are an administrator (same as KeePassXC)

    This is incorrect, on windows you don't need to be an admin to read 1Password memory, you only need to run in the same user context. And then you have access to the whole database.

    This can be mitigated by using existing (since win7) antimalware protection (far from a quick fix I'm sure) or starting 1password as administrator.

  • @Lars

    Proponent: I'll show you. I should tell you that there's one catch though. Everything I said only applies if you don't open 1Password and actually use it.

    I think everything you said here is a valid critique, but can you not say the same thing about every password manager Security Evaluators tested? And password managers in general to one degree or another given that many of the discussed limitations are OS related?

  • @mzman

    Proponent: I'll show you. I should tell you that there's one catch though. Everything I said only applies if you don't open 1Password and actually use it.

    This would be the same as other password managers. I listed off the results earlier in this thread what other password managers are affected by this same issue. At one point, the vault needs to be decrypted if you want to use it. There is no magic way to get decrypted data out and make it useable without making it plain text.

    There was only a few password manager that did not decrypt the entire vault which is good but many of them did reveal the master password in plain text which is just as bad as revealing the whole vault. The ones that did not decrypt the entire vault and cleared out the master password still would need to have the encryption key in plain text if you want to decrypt any data. So they may have cleared out the master password but they just substituted it for the encryption key which is more valuable because its what does the work directly.

    In other words, all password manager suffer from this but it does not mean you should stop using them. This whole thing has gotten blown out of proportions. It's like people are acting like the world is going to end because it might get struck by an asteroid. Sure, it's possible but the odds are not in your favor.

  • RogerDRogerD
    edited February 26

    Thanks, dev team, for allowing an open discussion here!
    @brenty, regarding the suggestion above about Secure Strings, I think I saw earlier than 1Password7 is C#? .Net does have a SecureString class, and in fact I reported a similar vulnerability a few years ago to the maker of a corporate, IIS-based password manager, and they were able to fix the problem entirely by switching to use this string class. Could be worth a look.

    ETA: Regarding the principle that once your computer is compromised, it's no longer your computer - that's valid only to a point; it's still important to build a time boundary around that. Malware will hit a user with a password manager. It will eventually get detected and removed. Perhaps every action they took during that time is leaked, but it should be contained to that. So the item I'd most like to see fixed is the caching in memory of passwords that haven't been viewed during the session. Even in a managed coding framework, this is doable and a way of containing the blast radius of a memory leak to the tiny fraction of a user's passwords that were accessed during the breach.

  • SigneturSignetur
    edited February 26

    @mzman

    But is there a password manager program out there that we know 100% isn't vulnerable in the same basic way? I'm not a coder, but based on what I am reading, it appears that all password managers write either the master password, database entries, or both in clear text to memory. The ones evaluated by Security Evaluators certainly do and they are among the most well known, so I would be highly skeptical of any claim otherwise by any other developer.

    The point is, what 1Password is doing is not unique - everybody else is doing it too. That's by no means an excuse. But there are a few here that act like what 1Password is doing is some uniquely horrible, inexcusable failure. If so, then all other password managers need to be viewed the same and held to the same standard.

    Put simply, this doesn't appear to be just a 1Password problem, but an inherent problem to password managers (and all other consumer software for that matter).

    Clearly, if there were an easy solution, everyone would use it.

  • One of the recommendations given here is to reboot your PC.

    How does Fast Startup affect that?

    (Would 1Password data be saved to disk or flushed?)

  • Great discussion, I'm from Brazil and I followed much of the discussion. (even if you do not know English and have Google Translate help).

    But I still had a question, in the case of current Macbooks Pro with Touchbar, does this security problem exist? Because it comes with a separate security chip and the Secure Enclave for the secure boot capabilities and encrypted storage. As I use one of these I wonder if I am affected by the problem or not. Thank you.

  • @mzman and @derek328 :

    You've both stated that a simple spreadsheet file could be better than 1Password, because you would probably open 1Password to use your passwords, rather than needing to search for a file on disk.

    If you want to use your passwords, you'll open the spreadsheet too, and it will be in memory in the same way.

    @mzman claims an unencrypted spreadsheet offers equivalent protection at best. For this particular attack vector that might be true. However, the encryption of password databases was never really primarily meant to protect from local malware. It is meant to protect:

    • system or file backups
    • copies used for any sort of synchronization process (manual or built-in) <-- especially this one, you can't safely sync without encryption
    • accidental disclosure from sharing user profile directories, etc.
    • portable copies of the database (the "put it on a thumb drive" method for the old standalone client, or other password managers)
    • other users on the system with read access to your directories (including sysadmins). Yes I know they could install malware and probably get your stuff that way...but it's a little different for a sysadmin on a corporate network to intentionally install malware versus "only" snooping in their coworkers files
    • probably other similar cases I'm not thinking of right now

    @derek328 's idea of an encrypted spreadsheet is probably equivalent in terms of protecting the data while not in use, but would also be missing a lot of the features that actually make the password manager usable. Security at the expense of usability tends to drive people to do less secure things. Plus it would rely on copy-paste, and the clipboard is a whole other attack vector you'd need to deal with. The most recent Windows update, for example, has features to automatically keep a history of everything that goes into the clipboard, and sync that between devices. I think it might be opt-in for now but that's not entirely a new issue. And clipboard sniffers have been done in javascript alone in the past. Plus, if it gets synced to another device, the clipboard is very easy to monitor from an Android app. Linux desktops as well, but I doubt that's one of the supported sync devices.

    1Password is aware of the problem and is working on it. We even know the internal name for it now which they use to tag all their related issues (LML).

    In the meantime, just exit your password manager while you're not using it.

  • What a fascinating discussion.

    I clearly represent an obscure use case, I don't use any of the browser-plugin/automatic entry/... features. I open the program, copy the one password I want, paste it into a web page, and quit the program. I run on a Mac, not logged in as admin (though even on Windows I don't let the wife and kids have admin accounts - they complain a lot but I'm just becoming hard of hearing about it). I shutdown my computer when I'm not using it.

    I don't get the "I searched a dump and found my password" concern. If you hadn't already known the password, how would you have found it? With Address Space Layout Randomization (ASLR), even knowing the location from one dump won't help you interpret the next dump. I accept that the string I typed (and potentially other strings I typed) might be lying around in some OS/GUI buffer, along with that password I pasted into the browser.

    Much more troubling is the "whole password database in unencrypted JSON structures". That hardly seems like a good thing. The developer explanation, "we need it for WatchTower and searching to work", doesn't tell me anything. What's Watchtower, and why is it worth this exposure? (Remember I'm asking that and I'm not even on a Windows machine where any old chunk of mobile code can read 1Password's process memory.) What's Searching for? How about we include a switch that turns those features off??

    Everything in security is a compromise, and adding more features means there can be more attack surface. These features seem to have dramatically expanded the attack surface, particularly on Windows. There can be compromises on a client, that's why there is anti-virus, and certainly developers aren't suggesting that nobody with good enough hygiene to run 1Password doesn't need anti-virus on their Windows machines. The key is damage control, compromise doesn't get the whole database every time a single item is stolen. It seems that 1Password isn't contributing to good damage control procedures. For what features? Maybe we don't need all those features all the time if it comes at such a cost.

  • @HeartfeltSarah Bingo! That's the right, long term solution - get the platform providers (who control when memory is cleared) to provide the functionality.

    Part of my job is to help companies assess cybersecurity risks across their entire enterprise architecture and prioritize security investments (I lead a team of 20 security architects that do that work for hundreds of companies every year). There's always variance in the results due to different regulatory and compliance frameworks, corporate culture and risk tolerance, and unique situations - in many cases it's a judgement call, and that's by definition unique to the individual or organization.

    For the vast majority of regular Windows or MacOS users, the risk (probability*impact) - at present - associated with this vulnerability is low. For iOS it's extremely low, and for Android somewhere in between. We may (and probably will) see malware emerge that targets it, at which point the risk calculation changes, because probability increases. I'd argue that it will probably remain relatively low even in the presence of targeted malware (especially once the signatures and/or behavioral heuristics are known and can be detected and blocked) because the actor will still have to get that code onto the system - either through social engineering to install software, physical access to a running/unlocked machine, or via exploitation of a different vulnerability to surreptitiously install the malicious code. If I can do that, it's game over anyway. Note that all three vectors could compromise passwords _even if/when this vulnerability is mitigated_ by installing a keylogger or other credential harvesting malware. Once compromised, the malware would have to phone home to a C&C server to upload the data (another mitigation is having those C&C servers discovered and blocked via firewall rules or DNS records - for home users Quad9 or OpenDNS, also provide help).

    So the difference between this particular vulnerability and general credential harvesting here is the impact of compromise - because the entire vault is loaded into memory, all passwords are exposed at once, versus over time. That's not trivial to be sure, but remember risk=impact*probability, so with good hygiene and appropriate countermeasures taken (e.g. stay off the seedy side of the internet, lock the machine when you leave it, only install software signed by a known developer, etc), it's still relatively low. Now if someone chains it to an exploit that dumps memory automatically when you plug in a USB device, to that device, that's a higher risk. At that point, superglue in the ports becomes an option :-).

    For most users, the risk of credential stuffing by low-level actors using dictionary or social profile scraping attacks against targeted sites is far higher than this vulnerability. Given that, I continue to recommend that folks use a password manager. For those with unique threat models, killing the app periodically and/or rebooting the machine (or shutting it down - e.g. border crossings) may be a good idea.

    Let me be clear, AgileBits does need to mitigate the vulnerability - attacks only get better, and I really do expect to see malware targeting all password managers now that it's been widely publicized. They have window to complete that work, and I suspect it's a hot topic internally. As I noted in my last post, regardless of the actual risk, they do need to address LML as this has made people feel as if trust has been broken, and trust is a critical business asset. Unfortunately it's much larger that it might be for Agile and their peers is that people are really bad at assessing risk, especially personal risk. If they were better, most social media sites would have far fewer users than they do :-). So regardless of the actual security risk, mitigations of the business risk are required, and fairly soon.

  • The authors singled out 1Password 7 for decrypting most everything and leaving it all in accessible memory. They pointed out that 1Password 4 was better in its protection of data in this regard. This is most painful to me, because I recently abandoned 1Password 4 out of necessity when interoperability with Chrome broke. It's a legacy product that was potentially more secure than the new version. They moved it in the wrong direction, from a security point of view.

    1Password knows that good security is difficult. That hasn't stopped them from innovating and taking care with their design in many areas. I think they can do far better in this area. I think they know it too... and I would love to see an announcement regarding a change in direction soon. If that means disabling features and re-coding a lot of their software, they should do it.

    I 100% agree with this. I've just gone through similar where I've installed 1Password 7 on Windows out of necessity. Only to find that it's actually worse than the long deprecated, and no longer supported 1Password 4. This really really really disappoints me. 1Password should never go backward in terms of security, and in regards to 1Password 4 vs 7 this is a significant back-step.

    The blog post that says 1Password 7 for Windows: The Best Ever... is absolutely not true in this (most important) regard.

    It actually offends me that due to 1Password 4 no longer being supported, I'm expected to pay good money for 1Password 7 which in this (most important) regard, is a downgrade from 1Password 4.

    It also significantly offends me that the whole Lock-means-Lock (LML) thing is even an issue. That should never ever have been an issue in the first case and it significantly disappoints me that AgileBits have allowed this to go on for as long as it has.

    It's time for AgileBits to prioritise the security of their apps over the touchy-feely things. Security should be the first and highest priority in all instances.

    There needs to be an announcement/official comment as to the issues and the way forward.

  • XIIIXIII
    edited February 27

    I don't get the "I searched a dump and found my password" concern. If you hadn't already known the password, how would you have found it

    After having done that I now know that (some) passwords are visible as JSON in the dump.

    And they are even marked as password in that JSON data...

    This makes it rather easy to (either manually or automated) find the ones that are leaked (and which you don’t know a single character of) using the metadata in the JSON.

This discussion has been closed.