Article just published in Washington Post is saying 1password and others have security flaws - Pt.2

derek328
derek328
Community Member

Hello guys,

This is intended to be a quick follow-up to the original mega discussion here:
https://discussions.agilebits.com/discussion/101551/article-just-published-in-washington-post-is-saying-1password-and-others-have-security-flaws/p1

I can see how 1Password 7 can help people become more secure with their online accounts. However, as 1Password 7 currently stands, "helping people become more secure" is not the same thing as saying 1Password is a secure software.. and that is what's worrying us. 1Password really can't be considered as a "secure" software on Windows right now because it fails to practice even basic, secure memory hygiene, a basic prerequisite for a piece of software that's asking people to entrust with their lives. There are whole industries of software out there that have successfully done so for Windows, and even looking within just password managers, KeePassXC has also showed it is a totally do-able thing.

I want to follow up on the new support article you referenced (here). As the article currently stands, it is still focusing on the "attacker scenario". But, the security report actually showed 1Password will leak our secure + master key + individual password even on 100% uncompromised PCs. There is no need for anyone to "access" our computer to read our data maliciously".

So, question: how come your article never disclose the fact that 1Password 7 will leak our data even if there are no malicious attackers involved? A simple hardware driver crash-caused memory dump, or even an overzealous debugging / telemetry service from a completely legitimate software on your PC will do. As per fellow user @alexyang:

  1. Is 1Password team currently working on a fix or mitigation of the issue reported? (I’m not talking about Rust, which no one promised)
  2. Will there be a formal communication from 1Password to the general users informing about this vulnerability and how to take some actions to protect themselves? (I’m talking about a blog post or email communication to all registered users)
  3. Will 1Password hire an independent security firm to audit and do penetration testing of the latest Windows app?

Would love a response. Thank you.


1Password Version: 7.x
Extension Version: Not Provided
OS Version: Windows
Sync Type: Cloud Sync

Comments

  • RyanE
    RyanE
    Community Member

    Was very disappointed they closed the existing thread without addressing all the concerns.

  • derek328
    derek328
    Community Member
    edited February 2019

    @RyanE

    same here. like others have also referenced, it looks to me like 1Password 7 doesn't even manage to deliver on the promises raised here (2012).

    I'd say 1Password 7 for Windows looks almost like it has failed points #3, 5, 6, 7, and 9 to me.

    @A5rypT1K: I find it fascinating that these issues were addressed by Goldberg in a 2012 post here on agilebits titled "Don't trust a password management system you design yourself". Bullet points 3, 5, 6, 7, and 9 all seem pretty relevent [...] Simply cannot wrap my head around a security product leaving the entire database in memory. I work in research and data security in defense and was briefed that 1Password specifically is not to be used.

    @mzman: The authors (of the research paper) singled out 1Password 7 for decrypting most everything and leaving it all in accessible memory [...] They moved it in the wrong direction, from a security point of view.

    @warpspeed: The blog post that says 1Password 7 for Windows: The Best Ever... is absolutely not true in this (most important) regard.

  • alexyang
    alexyang
    Community Member

    Well, I just saw that KB article. There is nothing new from 1Password side. It seems no one in 1Password will do anything more other than "calming" down the users.

    The most important thing to know is that the issue described in the report is only a threat to a computer that is already compromised. If your computer is not compromised, you aren’t affected by the issue.

    This is completely false and misleading. It creates a false sense of security to the normal user who are unfamiliar about information security. The only way to mitigate this issue is either stop using 1Password app on Windows, or stop using any other app on Windows unless you trust EVERY developer of that app, because every app (yes, EVERY APP) on your machine have the capability to read all your secrets immediately. Put simply, your life depends on all the developers of all the apps on your computer. If that is not big risk, I don't know what is.

    Luckily, not all security experts think the same, otherwise Windows will not have UAC, ASLR, etc.

    @derek328 I think I can now answer my own 3 questions.

    1. Is 1Password team currently working on a fix or mitigation of the issue reported? (I’m not talking about Rust, which no one promised)
      No. (Because they don't even think this is an issue at their hands. They blame normal user for their lack of discretion when using softwares and blame Microsoft developers for not providing a secure way of clearing the memory in C#/.NET, and blame the Windows for not sandboxing apps like Macos or iOS. What they never blame are themselves for abandoning the language that provides the exact capability, or their lack of experience in memory management in Windows apps, or the misjudgement that puts functionality over security in design. )

    2. Will there be a formal communication from 1Password to the general users informing about this vulnerability and how to take some actions to protect themselves? (I’m talking about a blog post or email communication to all registered users)
      No. (Because they have closed the only discussion thread to prevent further comments and analysis, and provided a link to a KB article that most normal user won't bother to look at)

    3. Will 1Password hire an independent security firm to audit and do penetration testing of the latest Windows app?
      No sign at the moment. (I have looked at all the published security audit reports. nVisium and CloudNative reports only cover the infrastructure end at AWS, and AppSec report only covers the web app. Both nVisium and CloudNative reports are in 2015, before the release of 1Password 7. 1Password 7 application in Windows, Mac, iOS or Android are NEVER audited publicly. In my opinion, such an important security product should be regularly audited comprehensively at least once every two years. )

    I have lost the confidence in this product. Though I am not actively using 1Password on Windows at the moment, and thus not affected by this bug, I am just shocked by how the lack of care is given to this severe case. I will gradually move all my secrets out to other password managers who are willing to face and address this issue, and cancel the subscription.

    This will be my last reply on this forum.

  • derek328
    derek328
    Community Member

    i agree.

    we've given 1Password plenty of opportunities to speak the truth (telling users that as it currently stands, 1Password 7 will leak our data even when the computer is 100% uncompromised), or they can choose to misdirect.

    and at every turn, they've chosen to ignore us, or misdirect us.

    i for one am deeply, deeply disappointed with 1Password as well.

  • lonevvolf
    lonevvolf
    Community Member

    I am a long-time 1Password supporter, evangelist (to my friends and family), and customer (about 10 years). I lauded them constantly to co-workers (I work in software development, and therefore am pretty security-minded) for their openness regarding their security, and their communicative nature. They (still) never hesitate to have an open conversation with customers about security issues, possible features, etc. When choosing any piece of software, the level of involvement of the company plays a large role for me, as it shows that they support what they make, and they are passionate about it meeting a high level of quality.

    When I read the article, my immediate reaction was depression - I felt completely let-down. As @derek328 pointed out, that article from the 1Password blog itself sums it up perfectly. Those are the points that I expected (and understood) that 1Password strived to implement above and beyond other companies. As a software developer, I understand the attraction and business sense that building on top of proven technologies offers. I also understand, however, that when those technologies fail to meet critical criteria, it is often necessary to roll up your sleeves and get into the mud when something important comes along.

    I want to be entirely clear - it was my understanding, from 1Password's stance over the last roughly 10 years, that memory protection was one of the main features they were offering. If the database they use is built on top of a standard DB (is this the case?), and their encryption is built on top of industry standards (rightly so), what exactly then is 1Password offering me above and beyond integrating those items, and putting a useful UI on top of it? I understand they have built a hosting infrastructure, which I have somewhat reluctantly converted myself to, but this is not really a value-add in my personal case, nor would I say it represents some clear increase in security (but let's not get into that discussion here - it's beside the point).

    I have followed the entire thread before it was closed, and now I have read the blog post which they created to quell people's fears. It is particularly telling that the section entitled "What we're doing" does not list a single concrete action which they plan to take, especially given the excuse that they have already done all they can in the context of the current framework. I am seriously disappointed. What I expected from 1Password was something like the following response:
    "We place the security of your information at the top of our list of priorities, and we take the article published very seriously. While we are currently using every option available to us in the current architecture, there are places which need to be much improved to protect your data in memory. Specifically, we are disappointed that 1Password 7 is less secure in this regard than 1Password 4, and we have decided to immediately begin work to return to the previous level of security. While this may take some time, we are committed to miminizing the exposure of our users' data, even in the event that their system has been compromised. Specifically, the user should expect that 1Password will not show itself as locked until all data has been securely wiped from memory. The lock should be a confirmation to the user that they can safely walk away from their PC and their data will not be read from that point in time."

    The answer given was sadly far from that. To be honest, it's much easier for them to respond that way, since the other tested password managers failed in similar areas (though not as badly as 1Password with the entire DB in plaintext in memory). I am sure there are other password managers (probably less flashy, as they have avoided using some standarized parts of frameworks) which do focus on this aspect of the security.

    From this moment, I no longer feel comfortable recommending 1Password to anyone, and will rather push them toward using free alternatives which offer no less security and peace of mind. I'm sorry.

  • derek328
    derek328
    Community Member
    edited February 2019

    Completely agreed. It's actually quite disturbing how AgileBits has clearly heard our prompts (regarding the fact that 1Password can leak our passwords on a 100% uncompromised Windows systems, and that they've apparently known this security-crippling bug for years) but still chose to delay their public response.. and when they finally did respond (with the KB article 201902a), they chose to focus only on "attacker" scenarios - a categorically different scenario. Why not also disclose in the same article the fact that 1Password 7 has also been found to leak our data unencrypted + in plaintext even when a system is 100% uncompromised?

    In fact, like @alexyang said, your KB article's statement below is completely false and misleading.

    1Password KB article 201902a: "The most important thing to know is that the issue described in the report is only a threat to a computer that is already compromised. If your computer is not compromised, you aren’t affected by the issue."

    Here is the real quote from the research paper:

    "The memory “hygiene” of 1Password7 is so lacking, that it is possible for it to leak passwords from memory without an intentional attack at all."

    Why are you deceiving people, 1Password?

    Even today, there is still no committed timeline for when we will finally get a fix, which I believe is absolutely critical because the vulnerability right now means 1Password - to me in my mind - isn't providing level of end-point protection that we were told it would provide...

    like here: "In the interest of maintaining better confidentiality of your data, there is no mechanism to decrypt your data without the master password."

    like here: points #3, 5, 6, 7, and 9

    like here: "Auto-lock. 1Password can automatically lock to make sure that no one can access your data when you’re away from your desk or after closing the lid on your laptop."

    like here: "Your Secret Key doesn’t need to be memorized, so it can be much stronger. It has 128 bits of entropy, making it infeasible to guess no matter how much money or computing power an attacker has available." (we don't even need a malicious attacker to be involved right now - as per the 3rd party research paper; all we need is a hardware driver to accidentally crash that triggers a system-wide memory dump, which can then potentially generate a telemetry / debug log that gets sent to 3rd parties alongside any of our private data that 1Password had loaded into our cache unencrypted + accessible without need for admin rights).

    like here: "Your Master Password isn’t stored alongside your 1Password data, or anywhere at all." (Apparently AgileBits does not consider being stored unencrypted in our cache memory as "anywhere")

    AgileBits should take down all the misleading & potentially advertising / promises / features that 1Password 7 simply isn't delivering at the moment. just my 2c.

  • ski22
    ski22
    Community Member
    edited February 2019

    I’m another long time 1Password user. I’ve been with them since almost the beginning.

    I’m very disappointed with their response. Their official KB article is inaccurate. They know your system does not have to be compromised for your secrets to be leaked. As stated previously by both the research paper and their customers on this forum.

    With their excuse (which is inaccurate), then why even encrypt the database file on the user’s system ? Why can’t it just be a plain text file on the user’s disk ? It would only be an issue on a compromised system, just like what they falsely claim with their memory leak issue.

    I too have turned to another password manager. I have lost faith with 1Password because of the way they handled this issue.

  • Lars
    Lars
    1Password Alumni

    Hi guys. Again, we appreciate everyone's participation on this so far, but I'd point everyone once again to our public statement on the matter:

    Managing 1Password Secrets in Memory

    ...and reiterate Ben's request in the original thread that

    If you have specific questions that have not been addressed in this thread or in the above article, or if you'd like clarification on any points, please feel to reach out directly to our security team at support+security@1password.com.

    Thanks, everyone! :)

This discussion has been closed.