encrypted files randomly changing
Hello, this is a support request with a few technical details. I came across some confusing behaviour and now I'm wondering if the security of my vaults has been compromised.
I've been using 1Password with Dropbox sync for years.
I still use 1Password 5.4.3 because I need to keep vaults separate and manage them with different master passwords.
I have never used the browser extension, which is perhaps relevant to this support request.
I have configured it to store the vault on Dropbox, so that I can access it from multiple computers (e.g. home and work).
When I add or edit an item on one of the computers, the contents.js file plus some more encrypted files [1] are changed and synced through Dropbox. This is normal and makes sense.
At times, when I accidentally modified the same entry on both computers without syncing properly, I got conflicts on Dropbox and had to sort them out manually. This also is fine. It makes sense and is unsurprising.
Recently, however, it happened a few times that on Dropbox sync such files changed without reason. I'm talking about entries that I genuinely haven't modified or accessed in a while (i.e. because I have a persistent session in the browser). And not just the files inside the keychain. When this happens, I can clearly see an item jump to the top of the list if I sort the vault by "modified time".
When I inspect the items in 1Password, I cannot see any change, all the data is the same and still correct (even though I can't possibly memorize long random passwords, I can verify that they are still correct by trying them).
Luckily Dropbox allows me to inspect the change history of a file, and when I do that I notice that:
contents.jsgets completely changed. The diff is huge. It looks like the contents just gets re-sorted, but nothing is added or removed.- the
HEX.1passwordfile is changed so that:
-- itsupdatedAtandtxTimestamptimestamps are updated (they're always the same value);
-- the encrypted blob is also changed.
I think that the cleartext is still the same, since the data in the application hasn't changed, but why is the cyphertext changing? I suppose that something must be decrypting and reencrypting it with a different IV (or does the app add a sort of salt to the cleartext becore encrypting it?).
Still, I wonder what is decrypting and re-encrypting it, and why? Could it be that something has gained access to the Dropbox account and the vault? Is this the normal application behaviour? Why does it happen only at times?
Thank you!
Tom
[1] The files are named $DROPBOX_DIR/1Password/1Password.agilekeychain/data/default/HEXADECIMAL.1password and contain some JSON with the entry name, the encrypted blob, and some metadata. I suppose each file represents an item in the vault. The contents.js file seems to be an index.
1Password Version: 5.4.3
Extension Version: Not Provided
OS Version: 10.13.4
Sync Type: Dropbox
Comments
-
@tompave - contents.js is indeed an index. I can't answer whether your specific Dropbox has been compromised - you would have a better sense of that than I do - but I can tell you that we're unaware of any instances of a user's encrypted data being "cracked" when on Dropbox in Agile Keychain format. Of course, Master Passwords can be brute-forced in any setup, but based solely on your post here, I'm guessing you're the type of security-conscious user who wouldn't be using an easily-guessed (or rainbow-tabled) Master Password.
However, version 5.4.3 is quite old at this point (nearly 2.5 years), and well out of development. I understand your comments regarding opening individual vaults with different vault passwords, but as a company, we can't do otherwise than recommend you not use versions that outdated. A great deal has changed since January of 2016 when 5.4.3 was current, not only in 1Password (where subsequent versions incorporate not just refinements and nifty new features but also security fixes), but also in the underlying OSes as well as in Dropbox. No updates or adaptations to new APIs/code/etc will be reflected in version 5.4.3, because it's no longer in development and therefore changes in ancillary technologies may have unpredictable effects on how it behaves.
One thing you can do right now (and you should), which may solve the issue you're seeing outright, is switch over from Agile Keychain format to OPVault. Agile Keychain was a great advancement in its day, but it was created around the time of 1Password 3 for Mac, ten years ago. The newer OPVault format is faster and more flexible, and less subject to some of the finicky-ness that could occur with Agile Keychains under certain circumstances. Give that a whirl, and let us know what you discover.
0 -
Hi @Lars, thank you for the reply.
Yes, I'm fairly sure that my Dropbox account hasn't been compromised. It was properly secured and, after what I described in the opening message happened a couple of times, I throughly reviewed all the active sessions and rotated the credentials for good measure. In any case, my question was not really about Dropbox security.
Also, even if my Dropbox account had been compromised, I don't think (hope?) that it would be possible for someone to decrypt, tamper, and re-encrypt the agilekeychain files without also knowing the master password of the vault.
Regarding my use of an old version of 1Password, I'm fully aware of the problem. I've discussed at length here on this forum why I cannot upgrade: I need to be able to unlock different vaults with different master passwords. I'm not the only user who's asked to bring back the feature, but so far the situation hasn't changed. Even though it's not the main subject of this thread, I encourage you to read this and this messages of mine where I explain my use case. If you feel like weighing in, I've asked again about this a couple of days ago.
What I wrote above also means that I cannot use OPVault, unfortunately.
Back to the main subject, I would say that the my main question is really: why is this happening?. Let's assume that no one else is accessing my vaults, and this is done by the application: can you please confirm if it's possible that what I described is "normal"? Can you provide an explanation for what I described?
Thank you for your help!
0 -
Yes, I'm fairly sure that my Dropbox account hasn't been compromised. It was properly secured and, after what I described in the opening message happened a couple of times, I throughly reviewed all the active sessions and rotated the credentials for good measure. In any case, my question was not really about Dropbox security.
@tompave: Sure thing! Thanks for clarifying.
Also, even if my Dropbox account had been compromised, I don't think (hope?) that it would be possible for someone to decrypt, tamper, and re-encrypt the agilekeychain files without also knowing the master password of the vault.
You're correct on the one hand: your 1Password data is end-to-end encrypted, so 1Password simply doesn't depend on the sync service to protect your data.
However, that doesn't stop someone from messing with the files themselves if they have access to your account. They won't be able to decrypt your 1Password data without your Master Password, but there is still damage they could do.
Regarding my use of an old version of 1Password, I'm fully aware of the problem. I've discussed at length here on this forum why I cannot upgrade: I need to be able to unlock different vaults with different master passwords. I'm not the only user who's asked to bring back the feature, but so far the situation hasn't changed. Even though it's not the main subject of this thread, I encourage you to read this and this messages of mine where I explain my use case. If you feel like weighing in, I've asked again about this a couple of days ago.
Absolutely. We do like to hear how folks are using 1Password, even if it's in ways we didn't intend.
What I wrote above also means that I cannot use OPVault, unfortunately.
That isn't technically true, but that's fine.
Back to the main subject, I would say that the my main question is really: why is this happening?. Let's assume that no one else is accessing my vaults, and this is done by the application: can you please confirm if it's possible that what I described is "normal"? Can you provide an explanation for what I described? Thank you for your help!
Honestly the best way to narrow it down would be to go to the source. If you're seeing that files are being modified, you can see which device it was that modified them in Dropbox, through their website. Failing that, we're all just speculating.
But based on your description, it sounds like the files are probably being updated because you've accessed/used them. That would update their "last used" timestamp, if nothing else, which would result in the item being reencrypted and resync'd. But again, I'm not in a position to determine any of that; only you are. Let me know what you find!
0 -
Hi @brenty , thanks for the reply.
What I wrote above also means that I cannot use OPVault, unfortunately.
>
That isn't technically true, but that's fine.
Oh, that's interesting. The article linked by Lars says that I need 1Password for Mac 6 or later, but if I can try it with 1Password 5 I can give it a go.
based on your description, it sounds like the files are probably being updated because you've accessed/used them. That would update their "last used" timestamp, if nothing else, which would result in the item being reencrypted and resync'd.
Thank you for confirming that this could be the case. That is, that the action of accessing the files could cause the encrypted blob to change because it also contains the timestamps. It really helps to know that it's not because of external access.
If you're seeing that files are being modified, you can see which device it was that modified them in Dropbox, through their website.
That's a great suggestion. Thanks.
I can confirm that the "auto modified" files have been changed by me (well, by my Dropbox Username), using the "API App", which I think would be the 1Password application. This is different from other files modified manually by me in the Dropbox folder, as those are reported as modified by "Desktop" (the Dropbox app?) on my computer (identified by computer name). For the "API App" modifications it doesn't tell me what's the computer name, but I guess that's because the computer name is metadata that must be sent by the client so it's not always available.
This is interesting, but it also makes me wonder if what I'm seeing could be caused by 1Password for iOS (which I also use -- and for that I use the latest version). I've always assumed that 1Password for Mac doesn't really use the Dropbox API, and that its only interface with Dropbox is the file system on the computer; so that, when I change an item in a vault, 1Password will simply update
contents.jsand theFOO.1passwordfile, and then Dropbox will pick it up from there, treating the agile keychain contents as simple generic files. This assumption of mine is what triggered all my alarms: if it had been 1Password for Mac to change the files, why was I receiving Dropbox change notifications as if the files had been changed on another computer?However, I suspect that 1Password for iOS will use the Dropbox API instead, and if it's pushing file changes through the Dropbox API, then it's reasonable to see them sync across the other devices in the way I observed.
It's still surprising to see that 1Password for iOS would modify the vault entries, though. I think it might have happened that I accessed those entries on my phone when the suspicious modifications happened, but I'm not sure. I'll pay more attention to it in the future. For now, I've tried to reproduce it by opening 1Password for iOS, accessing a few items, displaying and copying their passwords and then closing the app (sent it to the background, not fully exited). Of my several attempts, only one caused a
.1passwordfile to change and sync (in the exact same way I described in the first post), which however was the file for a completely different vault item that I had not touched in my experiment. It looks like 1Password for iOS is indeed modifying and syncing arbitrary files when it gets opened.What do you think?
0 -
Oh, that's interesting. The article linked by Lars says that I need 1Password for Mac 6 or later, but if I can try it with 1Password 5 I can give it a go.
@tompave: 1Password 5 is rather old, so I'm not sure I'd recommend it. But, provided you backup your data, there is no harm in trying it. ;)
Thank you for confirming that this could be the case. That is, that the action of accessing the files could cause the encrypted blob to change because it also contains the timestamps. It really helps to know that it's not because of external access.
I guess my issue is I'm hesitant to say one way or the other. That's why I suggested looking into it in your Dropbox account, both to check for suspicious logins and to determine the device where changes were made, if nothing else so that you can confirm that there's no problem and rest easier. :)
That's a great suggestion. Thanks.
You're very welcome! :chuffed:
I can confirm that the "auto modified" files have been changed by me (well, by my Dropbox Username), using the "API App", which I think would be the 1Password application. This is different from other files modified manually by me in the Dropbox folder, as those are reported as modified by "Desktop" (the Dropbox app?) on my computer (identified by computer name). For the "API App" modifications it doesn't tell me what's the computer name, but I guess that's because the computer name is metadata that must be sent by the client so it's not always available.
Correct. It sounds like it was on iOS or Android then, as those use the Dropbox APIs, whereas the Dropbox client is used on the desktop.
This is interesting, but it also makes me wonder if what I'm seeing could be caused by 1Password for iOS (which I also use -- and for that I use the latest version). I've always assumed that 1Password for Mac doesn't really use the Dropbox API, and that its only interface with Dropbox is the file system on the computer; so that, when I change an item in a vault, 1Password will simply update contents.js and the FOO.1password file, and then Dropbox will pick it up from there, treating the agile keychain contents as simple generic files. This assumption of mine is what triggered all my alarms: if it had been 1Password for Mac to change the files, why was I receiving Dropbox change notifications as if the files had been changed on another computer?
I'm not sure I follow you here. If it helps, with AgileKeychain, each item is a separate .1password file within the folder. Regardless of where the data was changed, Dropbox should sync that file (and any others modified).
However, I suspect that 1Password for iOS will use the Dropbox API instead, and if it's pushing file changes through the Dropbox API, then it's reasonable to see them sync across the other devices in the way I observed.
Yes, exactly!
It's still surprising to see that 1Password for iOS would modify the vault entries, though. I think it might have happened that I accessed those entries on my phone when the suspicious modifications happened, but I'm not sure. I'll pay more attention to it in the future. For now, I've tried to reproduce it by opening 1Password for iOS, accessing a few items, displaying and copying their passwords and then closing the app (sent it to the background, not fully exited). Of my several attempts, only one caused a .1password file to change and sync (in the exact same way I described in the first post), which however was the file for a completely different vault item that I had not touched in my experiment. It looks like 1Password for iOS is indeed modifying and syncing arbitrary files when it gets opened. What do you think?
Unless there's a bug, that should be the case. It's less useful on mobile devices, but this allows the desktop apps to sort by date modified and even most frequently used (when it comes to things like logins). You can play around with this in the search area at the top of 1Password for Mac. I don't think it honestly gets much use by any but the most hardcore 1Password users, but I think they're cool features. I'm just sorry if it caused some worry for you!
0
