I've read through the new security audit and one thing worries me, so I thought I'll just ask.
The application uses an implementation of Secure Remote Password (SRP) to prevent the server from having
access to the user’s master password. This greatly reduces the chances that an attacker would be able to access
user data, even with access to 1Password’s data. It must be noted however, this depends on the integrity of the
client-side code hosted on the 1Password server; any event that allowed an attacker to modify this code could
result in the user’s master password of other data being exposed.
Maybe I'm just reading it wrong, English is not my native language, but does that mean that an attacker can modify the code on the server so that they have the master password of the user logging in at that time?
When they are already on the server they also would have the databases.
Or does the secret key prevent them from unlocking the vaults/databases in that specific case? Or could they modify the code to obtain the secret key too?
If so the encryption would be useless when they can obtain both with modifying the server code.
Also there are pages missing, will they be added in the future or excluded for privacy reasons?
Only sites 3 to 7 are present of 18.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided