New
#1
1Password data leaked for months
Reading an article today at The Register I saw that the respected Google security researcher Tavis Ormandy has found that:
What's worse is that 1Password has now published a blog post effectively denying it. Unfortunately for 1Password Tavis has confirmed that 1Password are misleading people and Google have the evidence to prove it:Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.
their post-mortem indicates this would've been exploitable only 4 days prior to your initial contact. Is that info invalid?
Annoyed is an understatement. I, like many others, had wrongly trusted 1Password to keep my data secure. It turns out that trust was severely misplaced. As a result I am going to return to an offline password manager.
It's especially galling that 1Password try to pretend that their three layer 'defence' would protect customers. They've also stated that "no sensitive data was exposed because it was encrypted in transit." Anybody who understands encryption (like Tavis) knows this doesn't make any difference in this case.
They also transmit their 'Master Key' over TLS (within something they call an 'Emergency Kit') - and TLS is susceptible to interception as we've seen from the Snowden disclosures.1Password are based in Canada (one of the five eyes spying countries) so I think it's fair to say that based upon their inaccurate and 'confusing' blog post that there's something seriously amiss with their data security.
A general note to any other password manager developers out there:
If you run a cloud-based password manager, don’t put it behind a CDN in a way that exposes the CDN to secrets.
https://twitter.com/tqbf/status/834911861904654336