Login error message might reveal too much

Options
dahanbn
dahanbn
Community Member
in Families

After trying to login on a browser that I didn't use for a while I saw the following error message:

Of course the error message describes the problems that the email address and the account key didn't match. It solved my problem because I changed my email address a few months ago. But couldn't that be a security issue as well, because it tells something about the account?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Ben
    Ben
    Options

    Hi @dahanbn

    Could you please elaborate on how you feel this is a security issue? In what way would this information help an attacker?

    Ben

  • Manaburner
    Manaburner
    Community Member
    Options

    The error message says "The email address and Secret Key are not correct for..." So IMHO the attacker still does not know which part is right or wrong.

  • Manaburner
    Manaburner
    Community Member
    Options

    I still don't get how the error message "wrong email address and secret key" would leak any information.
    It would only leak information, if you just entered the email address and a wrong secret key and it would say "The secret key for that email address is wrong". That would indeed confirm that an account with this email address does exist.

    I have just tested the combinations right secret key + wrong email address and wrong secret key + right email address and both produce the same error message, i.e. the one you have posted.

    But what I did find was that guest accounts of 1Password families get a different error message. That one says "Cannot sign in. Your email address, Secret Key, or Master Password is incorrect.".

    That was the closest I got what would present a leak.

    But like you said, AB has to decide if and what they want to do about that :)

  • AGKyle
    AGKyle
    1Password Alumni
    Options

    Hi All

    This is a quote from our whitepaper:

    Revealing who is registered
    If Oscar suspects that alice@company.example is a registered user in a particular Team or Family it is possible for him to submit requests to our server which would allow him to confirm that an email address is or isn’t a member of a team. Note that this does not provide a mechanism for enumerating registered users; it is only a mechanism that confirms whether a particular user is or isn’t registered. Oscar must first make his guess and test that guess.
    We had attempted to prevent this leak of information and believed that we had. A difficult to fix design error means that we must withdraw from our claim of that protection.

    So this is a decision we've made. I think in an ideal world we would've loved to have been able to not reveal this information.

    Hope that at least clarifies things a little bit.

  • Manaburner
    Manaburner
    Community Member
    Options

    Thank you @AGKyle

  • Ben
    Ben
    Options

    On behalf of Kyle you're most welcome. :)

    Ben

This discussion has been closed.