Skip to main content

PSA: Beware 1Password web features can leak your browsing history, may show up in Google search

AgileBits has promised to beef up the security of 1Password after a Microsoft software engineer discovered that details of which websites you visit are unencrypted and indexed by Google if you use the 1PasswordAnywhere feature. Dale Myers said that he discovered this by chance after a sync problem led him to investigate the files used to store the metadata.

It turns out that your metadata isn’t encrypted [allowing someone to] go through and find out exactly what shady sites I have accounts on, what software I have licences for, the bank card and accounts I hold, the titles of any secure notes I have, any anything else I’ve decided to store in there.

While passwords remain secure, privacy is placed at risk and the data obtained could, says Myers, be used in a phishing attempt.

Thanks to people having links for easy access to their keychain on their websites, Google has indexed some of these. A simple search brings up results. By looking at one of these it was a simple matter to identify the owner of the keychain and where he lived. I know what his job is. I even know the names of his wife and children. If I was malicious, it would be easy to convince someone that I had compromised their account and had access to all of their credentials.

AgileBits said that the decision not to encrypt metadata was taken back in 2008, when decryption on mobile devices involved significant performance and battery-drain issues, and that it introduced a secure file format in 2012, but that it didn’t want to break compatibility with older versions by making that format the default.

The company said that work on making the secure file format the default was already in hand.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users.

For those who don’t want to wait, the company has posted instructions for manually migrating to the new format.

The 1Password iOS app was updated last month with a new design, new password-generation features and iOS 9 features. If you’re not yet using a password manager, check out our how-to guide.

Via Engadget

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. PhilBoogie - 9 years ago

    I think 1P is just a crap product. When registering at a site it logs that URL. Then I use the password suggestion from Safari, which gets saved in the keychain. The site then tells me it doesn’t adhere to the password criteria (one digit, one capital letter, no hash or hyphen… and so on). If I right-click the password field and chose 1P I cannot enter the site’s criteria. So I type in a password myself. Yup, 1P saves it as a new entry. Safari simply asks me if I want to update the saved password. Much cleaner, and that just works.

    When going to that site where I just registered Safari can log me in, 1P thinks it’s a new website login as the URL has changed, so offers to save the password. My 1P list is ridiculous long, and I don;t feel like editing it all out since Safari / Keychain already work.

    Then there’s the OSX 1P interface; totally missing the point on how to design software. And I can’t sync the DB as I didn’t purchase the desktop app through the MAS but through the webshop from AgileBits themselves (which was actually their recommendation¡)

    People, if you’re planning on buying a PW manager; don’t buy this one. Or don’t buy any; Apple’s Keychain works just fine.

    • Ben Lovejoy - 9 years ago

      I use LastPass, and have the same issue that I have to manually trim the URL back to the root when first saving passwords. That’s habit now, though, so I do it on auto-pilot.

    • rwanderman - 9 years ago

      I use both Keychain and 1Password. I’d dump 1Password for Keychain but it’s UI is in sore need of an update: having to type/paste in one’s account password each time you want to get to a stored login password is incredibly awkward. And, unlike 1Password (and other dedicated password managers), it’s not meant to hold anything more than logins. 1Password will hold accounts, credit cards, the works. Very useful.

      I don’t use 1Password everywhere so I’m not sure this latest vulnerability applies to me but I’ve found the company pretty decent about clearing up problems when they arise. 1Password is far from perfect but it is useful and so far it’s worked pretty well for me (along with Keychain).

    • c1ce091b - 9 years ago

      I’ve been using 1Password for years in iOS and on my mac. I have not experienced the pain you have. I find the password generator feature very flexible in meeting a site’s password rules. Sure, from time to time a URL changes at a website and I have to re-save that login entry with the new information, but this doesn’t happen that frequently. Its a minor issue and one I do not attribute to 1Password’s product. With no similar standards followed across all the websites we encounter on a day-to-day basis…. for 1Password to handle as many of them as it does, is a testament to how hard they work in maintaining a tool that is convenient and safe to use.

    • Jim Huls (@Techslacker) - 9 years ago

      I’ve been frustrated with the same issues but I still find 1P to be beneficial enough to keep it around. Sometimes I find Apple’s method to not capture the credentials and then not use credentials that were captured. It’s rare but it happens. Both have their issues.

      I also agree that the UI needs a makeover. 15 some odd years ago I was a Windows user for a few years and my first foray into having a password manager was something called Roboform. It worked great and exactly the way I wanted it to. No idea how good it is now but I still wish Apple’s and AgileBit’s solutions worked as good as that did then.

      • Ben Lovejoy - 9 years ago

        Heh, yeah, I used Roboform too. Feels a long time ago now!

    • megsobrien - 9 years ago

      Hi PhilBoogie,

      I’m Megan and I work for AgileBits, the makers of 1Password.

      I’m sorry to hear that you’ve been feeling frustrated with 1Password. We generally recommend disabling the browser’s built-in password management and autofill function, as that can cause confusion, but it’s not absolutely necessary.

      It sounds like you’re experiencing some issues with the 1Password browser extension, such as the autosave prompt not appearing when expected, the form filling function not working where expected, and the password update prompt not appearing when expected.

      What we’d like to do is recommend that you temporarily disable Safari’s password management and form filling functions, just until we get this sorted out, and then you can enable it again. Blog comments aren’t the best place for troubleshooting, so we invite you to email us at support+social@agilebits.com. Our support team would love to help get 1Password working smoothly for you. :)

  2. c1ce091b - 9 years ago

    For users who sync their library with iCloud, the OPVault format is the default format. See support page: https://support.1password.com/switch-to-opvault/

  3. William D - 9 years ago

    I love Dashlane. I hope it’s secure!

  4. If Google were indexing everything in my Dropbox I’d be in lot more trouble then just what’s plaintext in my .agilekeychain file!

    So can @benlovejoy please explain how users are at risk here? The program offers sync through Dropbox or a local folder; how does that get on the public internet?

    • Ben Lovejoy - 9 years ago

      It’s explained in detail in the linked blog piece, David – I decided it was a bit too involved to quote in the piece here.

      • Thanks for replying Ben, but it still reads like a big nothing burger.

        Dale’s blogpost starts with the sentence:
        “… 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software.”

        He links directly to an AgileBits support document with instructions to use 1PasswordAnywhere. Step 1 of their instructions read:
        “1: Log in to the Dropbox website.”

        Since my Dropbox account is secured behind 2-factor authentication, no one else has access to the files it contains be they plaintext, encrypted, or just downright explicit.

        So the _only_ way this is an issue is if someone were to upload their .agilekeychain directory to an Internet web server, presumably so they can access it without the tedious effort involved with logging into the Dropbox website. That is, if they decided against following the directions provided by the software vendor and just threw a folder full of files onto the public internet without knowing what that folder contains.

        Should someone who does that be angry at AgileBits for misleading them about the security of this folder full of files if AgileBits has not, in fact, made any assurances that this folder is completely secure?

        So Dale Myers used Teh Google to search out poor misguided individuals who posted embarrassing information on their website, and has now alerted the rest of the world to the treasure trove of voyeuristic enjoyment that provides. I think you can tell which of these players has my respect.

      • Ben Lovejoy - 9 years ago

        AgileBits thinks it an issue worth fixing, so personally I think it worth flagging up to our readers.

  5. PhilBoogie writes “If I right-click the password field and chose 1P I cannot enter the site’s criteria”. But that’s simply not true. The “Password recipe” disclosure triangle is right there in the fly-out menu, and suggested passwords can be fine tuned for the site’s acceptance.

    Furthermore, while 1Password defaults to offering to save a modified password as a new entry, the “save as new entry” is a pop-up menu that also contains the choice to “update existing”.

  6. iSRS - 9 years ago

    Ben,

    Read Dale’s blog post, as well as AgileBits’ response. I am guessing from what I read, but is sounds like if I only use Macs and iOS devices, and only use iCloud sync, then I am not at risk. Is this correct, or your understanding as well?

    I am assuming so, because a search for “.agilekeychain” on my Macs results in no files.

    TIA!

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications