Your Password Manager 1Password Leaks Your Account’s Important Metadata

1Password-leaks-user-metadata
SP’s: 1Password, a password manager feature has been found to leak traces of the user account’s metadata which could be exploited by the attackers. However, only the older accounts using Agile Keychain format are vulnerable. 

Storing all your passwords and sensitive information in a single vault appears to be a good option, but what if the vault itself is broken? 1Password is one such kind of a safety vault built by AgileBits Inc. This virtual vault is locked with a Password-Based Key Derivation Function (PBKDF2) master password.

1Password is assumed to be the best in business, but Dale Myers, a Microsoft engineer has exposed a small flaw in the system’s data safety management in his blog. The accounts managed by 1Password that use the older Agile Keychain format, might not be secured enough as stated by Myers in his blog.

The password files are stored by 1Password in the HTML files which are synchronized through Dropbox or iCloud. However, only the password data is encrypted not the user account’s metadata.

This exploit in the safety system of 1Password leads to a leakage of your metadata. Myers found that 1PasswordAnywhere, the password manager feature exposes the account names and website login URLs to the attacker who has the HTML file’s Dropbox or the URL location.

This flaw is only exposed in the accounts that use 1Password’s older encryption technique of Agile Keychain.

Metadata seems to be harmless, but it can reveal a lot about your online habits and give hints to the attacker or surveillance agencies. Also, a situation might arise when you are on a ‘reset password page’ and at the same moment the attacker gets hands on the user’s password and URL combination. In such a situation, the attacker would be able to change the passwords of your accounts.

1Password spoke on the issue and assured Myers that this leakage was on purpose to avoid performance issues for the password manager’s users. Also, it is the company’s way to encourage its users to shift from Agile Keychain to the new and better-secured OPVault format.

Have something to add? Tell us in the comments.

Leave a Reply

Your email address will not be published. Required fields are marked *