1Password data leaked for months

Reading an article today at The Register I saw that the respected Google security researcher Tavis Ormandy has found that:

Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.
Twitter

What's worse is that 1Password has now published a blog post effectively denying it. Unfortunately for 1Password Tavis has confirmed that 1Password are misleading people and Google have the evidence to prove it:

their post-mortem indicates this would've been exploitable only 4 days prior to your initial contact. Is that info invalid?

Twitter

Yes, they worded it confusingly. It was exploitable for months, we have the cached data.

Twitter

Annoyed is an understatement. I, like many others, had wrongly trusted 1Password to keep my data secure. It turns out that trust was severely misplaced. As a result I am going to return to an offline password manager.

It's especially galling that 1Password try to pretend that their three layer 'defence' would protect customers. They've also stated that "no sensitive data was exposed because it was encrypted in transit." Anybody who understands encryption (like Tavis) knows this doesn't make any difference in this case.

They also transmit their 'Master Key' over TLS (within something they call an 'Emergency Kit') - and TLS is susceptible to interception as we've seen from the Snowden disclosures.1Password are based in Canada (one of the five eyes spying countries) so I think it's fair to say that based upon their inaccurate and 'confusing' blog post that there's something seriously amiss with their data security.

A general note to any other password manager developers out there:

If you run a cloud-based password manager, don’t put it behind a CDN in a way that exposes the CDN to secrets.

https://twitter.com/tqbf/status/834911861904654336

TairikuOkami said:

Online vs offline password managers. You know the difference.

YOU have to make a choice. Convenience vs security.

Very true. The only reason I was using 1Password is for convenience so that I could use it on my Android and my Windows PC.

My friend has sent me an article about 1Password having been implicated with leaking metadata on a separate occasion:

1Password Leaks Your Data - myers.io

Apparently 1Password tried to deny that as well and then blamed it's own users for not (manually) converting to the latest data format (despite not telling their users to and that converting it would break compatibility).

It seems like 1Password don't know what they're doing.

One of my friends, a software developer for Apple, said that 1Password didn't understand what was needed on a developer's certificate... despite Apple having told them previously. Then they issued a twee blog post trying to blame Apple for 1Password's own mistake.
AgileBits Blog | Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

So angry it's hard to describe... people are trusting them to provide a secure service yet it's nothing of the sort.

Why I use Lastpass myself, the data is encrypted on the local machine the data never leaves your computer in an un-encrypted form. Your encryption key (the password) you use never leaves your computer in any form. Lastpass does not have access to your data as they don't have access to your key. Even if Lastpass' servers are hacked and they download the entire database, unless they have the keys your data is unrecoverable. Lastpass went into detail on how their service works and the security they put into it.

Unless someone here knows how to crack AES without using the key, I would very much like to hear it.

Yes I trust the Lastpass team. When security issues crop up, (there will always be security problems, always some unseen bug) they do not go out of their way to hide, and or deny them. Time after time they have shown they take security seriously and improve upon them when they arise. And again, the password vault is nothing more then an encrypted blob unusable to anyone without the key, Lastpass itself mostly acts as a sync for all your computers/devices to share the same vault.

logicearth said:

Yes I trust the Lastpass team. When security issues crop up, (there will always be security problems, always some unseen bug) they do not go out of their way to hide, and or deny them. Time after time they have shown they take security seriously and improve upon them when they arise.

I don't trust the LastPass security team.

"Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap."https://twitter.com/taviso/status/758074702589853696Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

Twitter

That smacks of incompetence. They don't deserve your trust. A security researcher took a quick look and found loads of obvious critical problems including "a complete remote compromise".

LastPass have a bunch of developers working for them yet they didn't spot obvious critical problems. That's not an unseen bug - that's negligence and proves that they don't take security seriously.

Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site • The Register

ahr10 said:

That smacks of incompetence. They don't deserve your trust. A security researcher took a quick look and found loads of obvious critical problems including "a complete remote compromise".

LastPass have a bunch of developers working for them yet they didn't spot obvious critical problems. That's not an unseen bug - that's negligence and proves that they don't take security seriously.

I see, so you must trust and use nothing then is that right? I can go down a list and find "obvious critical problems" for any piece of software you use. Linux for example had several "obvious critical problems" that went unnoticed for years, they have a bunch of developers, are they negligent?

Look, you don't want to trust them fine that is your prerogative. Its not a question if security vulnerabilities exist for whatever it is you use. The question is how do you response to them. The folks over at Lastpass have shown time and time again they take it seriously and they fix it. Every issue you can pull out of the air have already been fixed.

Here, more information on that very issue: LastPass Security Updates | The LastPass Blog