This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Security bug?

I have 1password installed in a motorola atrix running 2.2. Latest version of 1password. Without having 1password loaded you can see all the passwords without needing the master 1password password. To see everything all you have to do:

Add the default google search widget to one of your home screens (if not already there)

Start a search and select the settings icon for the search widget and select 1password to be included

Now search for anything in your 1password locker

The results will show in the search results

Select it. No prompt for your 1password password. You can see all the items and all the passwords



Is is happening to anyone else?

Comments

  • GeneY
    GeneY AWS Team
    Hi Balto,



    Thank you for the feedback and welcome to the Forum !



    First of all, I can assure you that nobody will be able to read your private data without your Master Password.

    That is simply impossible because 1Password doesn't store your Master Password anywhere on the phone, not even in the most hidden properties.

    If you open any of 1Password files stored in the default/data folder, you will see that all secure information is encrypted.

    Therefore, in order to decrypt your secure data and see it, Master Password should be provided first, there is absolutely no other way.



    In other words, in order to Login into 1Password, Master Password is absolutely required.

    Then if you press Back or Home button or switch to another application, 1Password is still running in the background (until Android OS kills it) or you go to

    Settings->Manage Applications , select 1Password and click Force Close button.

    However, when you bring the application back, it should come up locked with PIN or Master Password what I see it does.



    I spent at least couple of hours today trying to reproduce the issue on my Nexus One phone, installed Google Search and followed your steps precisely.

    In every case I chose 1Password as a search result, the application came up locked. I did testing with PIN and Master Password

    Please goto 1Password preferences->Application Protection, make sure you have one of checkboxes checked "Master Password" or "PIN Code" checked in.



    Please let me know if you find my explanation helpful.

    Otherwise, please forward to me your suggestions to my android support account android-support@agile.ws, I will be glad to assist your further.



    Thank you and best regards,

    Gene

    Android developer







    [quote name='Balto' timestamp='1302436464' post='24497']

    I have 1password installed in a motorola atrix running 2.2. Latest version of 1password. Without having 1password loaded you can see all the passwords without needing the master 1password password. To see everything all you have to do:

    Add the default google search widget to one of your home screens (if not already there)

    Start a search and select the settings icon for the search widget and select 1password to be included

    Now search for anything in your 1password locker

    The results will show in the search results

    Select it. No prompt for your 1password password. You can see all the items and all the passwords



    Is is happening to anyone else?

    [/quote]
  • I was easily able to replicate this issue. All of the information stored in 1password can be seen including all passwords without entering the Master Password as soon as the phone powers on.

    Follow this sequence to replicate:

    1. turn the phone off

    2. turn the phone on

    3. use the google search widget to search for one of the 1password entries

    4. all the 1password entries are immediately visible



    Given that I never entered my 14 digit master password after the phone powered on, the only conclusion is that either the password word is stored on the phone or the data was never encrypted. Either way, 1password is completely insecure.
  • GeneY
    GeneY AWS Team
    Hello ol2,



    Thank you for the information.

    It took me a while but I was able to reproduce the issue following your steps.

    I was able to see the list of items without entering Master Password (the same information is stored in context.js file inside of 1Password.agilekeychian/data/default folder).

    By the way, this data file is not encrypted (at least in the current version of 1Password for Mac/PC - this going to be changed very soon) and password was not required in order to see the list of items.

    You may notice that when you click on any item in order to see it contents, you are not able to do so (cannot be done without entering Master Password).



    Again, I confirm that Master Password is not stored anywhere on the phone and all data on the phone is encrypted exactly the same way as on PC/Mac

    (in fact it simply copied from Dropbox server to the phone's SD card without slightest modification).



    The good news is that the issue has been fixed and will be available in the new release of 1Passwod for Android coming soon.Please stay tuned for the updates.



    Best regards,

    Gene

    Android developer



    [quote name='ol2' timestamp='1305041930' post='26714']

    I was easily able to replicate this issue. All of the information stored in 1password can be seen including all passwords without entering the Master Password as soon as the phone powers on.

    Follow this sequence to replicate:

    1. turn the phone off

    2. turn the phone on

    3. use the google search widget to search for one of the 1password entries

    4. all the 1password entries are immediately visible



    Given that I never entered my 14 digit master password after the phone powered on, the only conclusion is that either the password word is stored on the phone or the data was never encrypted. Either way, 1password is completely insecure.

    [/quote]
  • Thanks for looking at this. I don't really understand the details of what's encrypted vs not encrypted but I can report with certainty that I can see all the contents of every record stored in 1Password including all the passwords using the method described below without entering the master password. I don't know how this can happen given your explanation, but I have repeated this scenario several times and every time I get full access to all the records without entering the master password. Perhaps Android is caching the master password or caching the unencrypted records or you have just inadvertently stored it somewhere....I have no idea, but somehow the security is broken.





    [quote name='GeneY' timestamp='1305300775' post='26875']

    Hello ol2,



    Thank you for the information.

    It took me a while but I was able to reproduce the issue following your steps.

    I was able to see the list of items without entering Master Password (the same information is stored in context.js file inside of 1Password.agilekeychian/data/default folder).

    By the way, this data file is not encrypted (at least in the current version of 1Password for Mac/PC - this going to be changed very soon) and password was not required in order to see the list of items.

    You may notice that when you click on any item in order to see it contents, you are not able to do so (cannot be done without entering Master Password).



    Again, I confirm that Master Password is not stored anywhere on the phone and all data on the phone is encrypted exactly the same way as on PC/Mac

    (in fact it simply copied from Dropbox server to the phone's SD card without slightest modification).



    The good news is that the issue has been fixed and will be available in the new release of 1Passwod for Android coming soon.Please stay tuned for the updates.



    Best regards,

    Gene

    Android developer

    [/quote]
  • GeneY
    GeneY AWS Team
    Thank you for reporting the issue, I am currently reviewing the application logic for the new release coming very soon.

    The new release will have a very different look and feel and lots of internal logic is going to be changed as well.

    Please stay tuned for the updates.



    Best regards,

    Gene



    [quote name='ol2' timestamp='1305307368' post='26888']

    Thanks for looking at this. I don't really understand the details of what's encrypted vs not encrypted but I can report with certainty that I can see all the contents of every record stored in 1Password including all the passwords using the method described below without entering the master password. I don't know how this can happen given your explanation, but I have repeated this scenario several times and every time I get full access to all the records without entering the master password. Perhaps Android is caching the master password or caching the unencrypted records or you have just inadvertently stored it somewhere....I have no idea, but somehow the security is broken.

    [/quote]