Page 1 of 2 12 LastLast
  1.    24 Feb 2017 #1
    Join Date : Jan 2017
    Posts : 27
    Windows

    1Password data leaked for months


    Reading an article today at The Register I saw that the respected Google security researcher Tavis Ormandy has found that:

    Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.
    Twitter
    What's worse is that 1Password has now published a blog post effectively denying it. Unfortunately for 1Password Tavis has confirmed that 1Password are misleading people and Google have the evidence to prove it:

    their post-mortem indicates this would've been exploitable only 4 days prior to your initial contact. Is that info invalid?

    Twitter

    Yes, they worded it confusingly. It was exploitable for months, we have the cached data.

    Twitter

    Annoyed is an understatement. I, like many others, had wrongly trusted 1Password to keep my data secure. It turns out that trust was severely misplaced. As a result I am going to return to an offline password manager.

    It's especially galling that 1Password try to pretend that their three layer 'defence' would protect customers. They've also stated that "no sensitive data was exposed because it was encrypted in transit." Anybody who understands encryption (like Tavis) knows this doesn't make any difference in this case.

    They also transmit their 'Master Key' over TLS (within something they call an 'Emergency Kit') - and TLS is susceptible to interception as we've seen from the Snowden disclosures.1Password are based in Canada (one of the five eyes spying countries) so I think it's fair to say that based upon their inaccurate and 'confusing' blog post that there's something seriously amiss with their data security.

    A general note to any other password manager developers out there:
    If you run a cloud-based password manager, donít put it behind a CDN in a way that exposes the CDN to secrets.

    https://twitter.com/tqbf/status/834911861904654336
      My ComputerSystem Spec
  2.    24 Feb 2017 #2
    Join Date : Oct 2014
    Trnava
    Posts : 2,863
    Windows 10.4 Home 1709 x64

    Online vs offline password managers. You know the difference.

    YOU have to make a choice. Convenience vs security.

    Lastpass has a known serious breach at least once a year.
      My ComputerSystem Spec
  3.    24 Feb 2017 #3
    Join Date : Jan 2017
    Posts : 27
    Windows
    Thread Starter

    Quote Originally Posted by TairikuOkami View Post
    Online vs offline password managers. You know the difference.

    YOU have to make a choice. Convenience vs security.
    Very true. The only reason I was using 1Password is for convenience so that I could use it on my Android and my Windows PC.

    My friend has sent me an article about 1Password having been implicated with leaking metadata on a separate occasion:

    1Password Leaks Your Data - myers.io

    Apparently 1Password tried to deny that as well and then blamed it's own users for not (manually) converting to the latest data format (despite not telling their users to and that converting it would break compatibility).

      My ComputerSystem Spec
  4.    24 Feb 2017 #4
    Join Date : Oct 2014
    Trnava
    Posts : 2,863
    Windows 10.4 Home 1709 x64

    The company shows its true face, when faced with a situation like this.

    They will either apologize or at least try to fix it or deny everything or even worse, blame users (Microsoft).
      My ComputerSystem Spec
  5.    24 Feb 2017 #5
    Join Date : Jan 2017
    Posts : 27
    Windows
    Thread Starter

    It seems like 1Password don't know what they're doing.

    One of my friends, a software developer for Apple, said that 1Password didn't understand what was needed on a developer's certificate... despite Apple having told them previously. Then they issued a twee blog post trying to blame Apple for 1Password's own mistake.
    AgileBits Blog | Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

    So angry it's hard to describe... people are trusting them to provide a secure service yet it's nothing of the sort.
      My ComputerSystem Spec
  6.    25 Feb 2017 #6
    Join Date : Mar 2015
    Posts : 234
    Windows 10 Pro (x64)

    Why I use Lastpass myself, the data is encrypted on the local machine the data never leaves your computer in an un-encrypted form. Your encryption key (the password) you use never leaves your computer in any form. Lastpass does not have access to your data as they don't have access to your key. Even if Lastpass' servers are hacked and they download the entire database, unless they have the keys your data is unrecoverable. Lastpass went into detail on how their service works and the security they put into it.

    Unless someone here knows how to crack AES without using the key, I would very much like to hear it.
      My ComputerSystem Spec
  7.    25 Feb 2017 #7
    Join Date : Oct 2014
    Trnava
    Posts : 2,863
    Windows 10.4 Home 1709 x64

    If you trust it, good for you, I would never use an online password manager.

    Just one of many known examples (most will not make it to public):

    LastPass hacked; security compromised for good

    No one is going to decrypt passwords, there are thousands ways around.
      My ComputerSystem Spec
  8.    25 Feb 2017 #8
    Join Date : Mar 2015
    Posts : 234
    Windows 10 Pro (x64)

    Yes I trust the Lastpass team. When security issues crop up, (there will always be security problems, always some unseen bug) they do not go out of their way to hide, and or deny them. Time after time they have shown they take security seriously and improve upon them when they arise. And again, the password vault is nothing more then an encrypted blob unusable to anyone without the key, Lastpass itself mostly acts as a sync for all your computers/devices to share the same vault.
      My ComputerSystem Spec
  9.    25 Feb 2017 #9
    Join Date : Jan 2017
    Posts : 27
    Windows
    Thread Starter

    Quote Originally Posted by logicearth View Post
    Yes I trust the Lastpass team. When security issues crop up, (there will always be security problems, always some unseen bug) they do not go out of their way to hide, and or deny them. Time after time they have shown they take security seriously and improve upon them when they arise.
    I don't trust the LastPass security team.
    "Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap."https://twitter.com/taviso/status/758074702589853696Full report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

    Twitter


    That smacks of incompetence. They don't deserve your trust. A security researcher took a quick look and found loads of obvious critical problems including "a complete remote compromise".

    LastPass have a bunch of developers working for them yet they didn't spot obvious critical problems. That's not an unseen bug - that's negligence and proves that they don't take security seriously.

    Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site • The Register
      My ComputerSystem Spec
  10.    25 Feb 2017 #10
    Join Date : Mar 2015
    Posts : 234
    Windows 10 Pro (x64)

    Quote Originally Posted by ahr10 View Post
    That smacks of incompetence. They don't deserve your trust. A security researcher took a quick look and found loads of obvious critical problems including "a complete remote compromise".

    LastPass have a bunch of developers working for them yet they didn't spot obvious critical problems. That's not an unseen bug - that's negligence and proves that they don't take security seriously.
    I see, so you must trust and use nothing then is that right? I can go down a list and find "obvious critical problems" for any piece of software you use. Linux for example had several "obvious critical problems" that went unnoticed for years, they have a bunch of developers, are they negligent?

    Look, you don't want to trust them fine that is your prerogative. Its not a question if security vulnerabilities exist for whatever it is you use. The question is how do you response to them. The folks over at Lastpass have shown time and time again they take it seriously and they fix it. Every issue you can pull out of the air have already been fixed.

    Here, more information on that very issue: LastPass Security Updates | The LastPass Blog
      My ComputerSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Record-speed data transmission could make big data more accessible
https://news.illinois.edu/blog/view/6367/341965
Network and Sharing
Windows 10 After 6 Months: Already the Second Most Used Desktop OS
Stats show Windows 10 adoption keeps improving 61459 Read more: http://news.softpedia.com/news/windows-10-after-6-months-already-the-second-most-used-desktop-os-499631.shtml
Windows 10 News
Temporally Going BACK to Win 7 For A Few Months
I did the Win 10 upgrade on both our Laptops and kinda like it but not to sure... My problem is we are reaching the 30 day time limit to go back to 7, we are going on vacation (in 3 days) for 3 months and I am afraid that there will be Win 10...
General Support
Ten (10) months of testing, 30 miles ... and all I got was
... this lousy T-shirt :chuckle: 27135 I called the nearest MS Store on 28 July to see if it would have any promotional giveaways for the roll-out. The automated message told me to check the MS Store Facebook page. I already knew that the BIG...
Chillout Room
Computer upgrade after 12 months
Hi I am currently running Win 8.1 and intend to upgrade to Win 10 later this week. I am in the habit of upgrading my hardware about every 5 years or so. What happens in say 18 months when I get a new cpu and m/b, how do I get Win 10 back again? I...
General Support
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 12:06.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums