Android beta 7.6.1.BETA-1 critical authentication bypass.

DariusRDariusR
edited June 16 in Android Beta

Hey AgileBits beta Android team,

I emailed [email protected] yesterday about a fairly severe/critical security flaw in the Android beta which allows for a persistent bypass of authentication to access login/password information from anywhere in Android OS.

It's possible after unlocking the database for the first time to trigger a scenario in which all logins/passwords are available via the autofill suggestions without any further password or biometric. The problem can only be cleared with a phone reboot or by force stopping 1Password.

I never received an auto response and became concerned that the email wasn't received because I didn't initiate it from within the app.

I've now reproduced the flaw on two different phones and two different versions of Android.

Figured I would receive a response back pretty quickly given the severity. I can imagine an exploit hypothetically trying to skim an entire database with this persistent authentication bypass.

Can someone get in touch?

I have additional information to provide but can't do so until I receive a response with the ticket ID.

Comments

  • andiAGandiAG

    Team Member

    Thanks @DariusR, I can confirm that we've received your email and we'll respond to you there ASAP :+1:

  • Thanks @andiAG

    Replied to your email with the additional details.

    I'll switch back to the Android Beta once this is sorted.

    Cheers
    Darius

  • andiAGandiAG

    Team Member

    Got it, thanks :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file