AgileBits response to TeamSIK report on Android version? [https://support.1password.com/kb/201702a/]
https://team-sik.org/trent_portfolio/password-manager-apps/
Any comments from AgileBits on the above?
.
AgileBits Update:
AgileBits has released our response on our knowledge base. The article is available here:
TeamSIK report on 1Password for Android (February 2017)
Comments
-
Hi @lrosenman
If you look at the reports for 1Password each of them indicate the issue cited has been fixed. :)
Ben
0 -
Thanks -- Just making sure :)
I just glanced over it, and wanted an "official" answer. Great to see y'all handled it quickly and appropriately.
Good Job!
0 -
While I don't have any Android devices (and don't plan to get any) I would like to know about the AgileBits response to this TeamSIK report:
https://team-sik.org/trent_portfolio/password-manager-apps/
Where can I find that?
0 -
Ah, I missed this post somehow: :(
https://discussions.agilebits.com/discussion/76011/comments-on-team-sik#latest
(my topic can be closed - if the forum software allows that)
0 -
Hi @XIII,
We also have an official knowledge base article with our responses which you might find useful :)
0 -
Hi @lrosenman,
We also published this knowledge base article with our responses ;)
0 -
-
Thank you for clarify!
0 -
According to recent studies, 1Password is one of nine password managements apps that has security issues in lesser or greater severities.
TeamSIK (a german researching team) has found five security flaws (https://team-sik.org/trent_portfolio/password-manager-apps/), 1 of which is high in severity.SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
SIK-2016-041: Read Private Data From App Folder in 1Password Manager
SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password ManagerMy question is whether 1Password is aware of these issues and whether you're already working on a update (or might already have released such update).
Thanks in forward & have a great day!
Rediwed
1Password Version: Newest android beta
Extension Version: Not Provided
OS Version: Android 7.1.1
Sync Type: 1P Accounts0 -
On behalf of Daniel you're most welcome. :)
Ben
0 -
Yes, thank you. The kind of response that increases trust in AgileBits/1Password. Thanks!
0 -
Hi,
Can I ask somebody from 1Password Team to comment following articles about security:
http://thehackernews.com/2017/02/password-manager-apps.html
- Subdomain Password Leakage in 1Password Internal Browser
- HTTPS downgrade to HTTP URL by default in 1Password Internal Browser
- Titles and URLs Not Encrypted in 1Password Database
- Read Private Data From App Folder in 1Password Manager
- Privacy Issue, Information Leaked to Vendor 1Password Manager
https://team-sik.org/trent_portfolio/password-manager-apps/
- SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
- SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
- SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
- SIK-2016-041: Read Private Data From App Folder in 1Password Manager
- SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
???
0 -
You are not the first to ask today... (neither was I...)
0 -
:+1: :)
Ben
0 -
Hey @XIII,
Ah, I missed this post somehow: :(
https://discussions.agilebits.com/discussion/76011/comments-on-team-sik#latest
(my topic can be closed - if the forum software allows that)
No worries! Instead, I've merged the two discussions. :)
0 -
I see you guys are busy!
Just wondering, do you guys also scan the dark/deep web for issues?
0 -
Hi,
Have you seen this write up: http://thehackernews.com/2017/02/password-manager-apps.html ?
The report, published on Tuesday by a group of security experts from TeamSIK of the Fraunhofer Institute for Secure Information Technology in Germany, revealed that nine of the most popular Android password managers available on Google Play are vulnerable to one or more security vulnerabilities.
I'm not saying the sky is falling or anything like that, but I am curious if you've had a chance to review and perhaps rebutt any of the findings.
I work in IT Security and understand context is king, and not everything noted in any finding is "bad," without context.
It would be great if AgileBits could reply, perhaps with a blog post of it's own?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Security flaws in 1Password0 -
I should also point out that TeamSIK tested v 6.3.3. and not the latest version 6.6.3 that I'm running.
Really hope they reached out to you before publishing these results. That would be the professional thing to do.
--shawn0 -
@GoShawn This is already talked about. All has been fixed.
0 -
Hi @GoShawn,
I've merged your posts into this discussion that @prime referred to; hope you don't mind. :)
… and not the latest version 6.6.3 that I'm running.
Version 6.5.1 is currently the latest release of 1Password for Android. Not sure which version you're running since 6.6.3 doesn't exist for 1Password on any platform at the moment.
0 -
Nope, not at all.
Although scanning the 1P app vs. addressing the findings are different topics.
Re: 6.6.3, it was a typo.
I'm running 6.6 (Mac App Store) on one of my Macs, and 6.6.1 from the AgileBits store on another.
0 -
Did you get a chance to read this article? https://support.1password.com/kb/201702a/
I'm not really sure I understand this comment:
Although scanning the 1P app vs. addressing the findings are different topics.
I may be missing some context.
Ben
0 -
@Ben,
Context is always important. Please let me clarify:
a - @Prime asked, "just wondering, do you guys also scan the dark/deep web for issues?"
b - TeamSIK didn't offer any real information regarding their, "security analysis," so it leaves a lot of questions in my mind regarding their testing methodology.
So my comment is two fold
1 - AgileBits likely tests it's software using a variety of manual and/or automated methods with a focus on your products and hopefully leveraging 3rd party companies for occasional review as any reputable software security company would do. I doubt you are spending a ton of time "scanning the dark web for issues," but you might be scanning your own code. :-)
2 - a full blown, end-to-end, penetration test of an application/service, including front end apps (1Password app for various platforms and the Web App) and back end service (e.g., the menagerie of hardware, software etc. that make up 1Password for Families and Teams) is much different than running a vulnerability scan of an application itself.
Perhaps I was jumping the gun and my comment should have been put out to pasture. Apologies for that.
--Shawn
0 -
Agreed, your points make perfect sense. I am sure that by now you have had the chance to read our official knowledge base article after TeamSIK's reports (Ben linked it in his last comment here), but because you mentioned third-party audits, I thought you might like taking a look at this other article too ;)
In summary: you are right, we do not focus on the app code alone, our testing goes way deeper than that.
0 -
Please comment on this issue.
http://thehackernews.com/2017/02/password-manager-apps.htmlBut what if your Password Managers itself are vulnerable?
Well, it's not just an imagination, as a new report has revealed that some of the most popular password managers are affected by critical vulnerabilities that can expose user credentials.1Password – Password Manager
Subdomain Password Leakage in 1Password Internal Browser
HTTPS downgrade to HTTP URL by default in 1Password Internal Browser
Titles and URLs Not Encrypted in 1Password Database
Read Private Data From App Folder in 1Password Manager
Privacy Issue, Information Leaked to Vendor 1Password ManagerMore info https://team-sik.org/trent_portfolio/password-manager-apps/
!! Update 2017-03-01: All reported vulnerabilities are fixed by the vendors !!
1Password Version: 6.6
Extension Version: 4.6.3
OS Version: macOS 10.12.3 (16D32)
Sync Type: iCloud0 -
Hey @jackiam,
AgileBits has an official kb article with their responses which you might find useful :chuffed:
Also I believe these were vulnerabilities on the Android version not the iOS version.
Cheer,
Andrew0
