"onepassword://share/" links

[Deleted User]

Hello all,

I am looking for information on the "onepassword://share/" links that are created by 1Password when sending items to other apps. Do these links contain a representation of the object being shared or a pointer to this object, which can only be fetched by another logged-in 1Password user? In the second case, how can these links be revoked?

I am trying to wrap my head around the security model of these links and to understand how we should best react should such a link ever leak on the public web or be shared with the wrong party.

Any pointers would be most appreciated!

Lars

@Deleted User - if you've taken the time to look at any of those links, you'll have likely noticed that they're lightly obfuscated. In other words, the naked eye can't tell much if anything about the content of the item being shared, but at the same time, it's relatively trivial to reverse obfuscation. That's why on every platform, when you use those sharing options, you'll be confronted with a "Be aware when you share" pop-up where "I understand" must be clicked to proceed:

Mac:

iOS:

We provide these because a) it's a hugely requested feature by numerous users, and b) it's in some cases the ONLY way to share (especially for people using standalone 1Password instead of a 1password.com membership). But the un-dismissible warning is present in both 1Password for Mac and 1Password for iOS for the very reason you outlined: they're in no way secure. The contents are NOT encrypted (merely obfuscated) and as such, this type of sharing should be thought of only as a last resort in a situation where no more secure method is available. The proper way to share 1Password items with other users is by means of a shared 1Password account, either 1Password Families or 1Password Business; place the items you want to share into a shared vault and invite only the people who should have access to those items to join you in that vault. There is no limit to the number of vaults or configuration of members you can invite to any vault.

If you must share using the share sheet method, there are ways to do it which incorporate the various transmission methods' own encryption, but we can't and don't vouch for nor guarantee those since they're beyond our control. In the Apple ecosystem, Messages is end-to-end encrypted, so you can be as sure as you are of Apple's encryption that any 1Password items shared that way should be relatively safe. Air Drop is similarly encrypted end-to-end, but that obviously requires physical proximity to the person you're trying to share with. I'd also recommend you suggest to anyone you share with this way that they destroy the message containing the item(s), once they've been added to their own 1Password app. Hope that's helpful! :)

[Deleted User]

Thank you, @Lars, that is indeed helpful.

Would I be right in thinking that, in essence, the compromise of a link is equal in every way to the compromise of the item itself?

Is there any chance of knowing more about the obfuscation method being applied?

Ben

That is a good way to look at it, yes. I think the important point to take away is that it is simple obfuscation, not to be confused with the encryption that 1Password typically uses to protect your data. It might help prevent shoulder surfing, but won't help protect against even the most novice of folks who wish to know the contents. Anyone with the 1Password app can click the link and un-obfuscate the item.

Ben

[Deleted User]

Thank you, @Ben!

Ben

You're very welcome. :)

Ben