Windows 10: 1Password data leaked for months

Reading an article today at The Register I saw that the respected Google security researcher Tavis Ormandy has found that:

What's worse is that 1Password has now published a blog post effectively denying it. Unfortunately for 1Password Tavis has confirmed that 1Password are misleading people and Google have the evidence to prove it:

Annoyed is an understatement. I, like many others, had wrongly trusted 1Password to keep my data secure. It turns out that trust was severely misplaced. As a result I am going to return to an offline password manager.

It's especially galling that 1Password try to pretend that their three layer 'defence' would protect customers. They've also stated that "no sensitive data was exposed because it was encrypted in transit." Anybody who understands encryption (like Tavis) knows this doesn't make any difference in this case.

They also transmit their 'Master Key' over TLS (within something they call an 'Emergency Kit') - and TLS is susceptible to interception as we've seen from the Snowden disclosures.1Password are based in Canada (one of the five eyes spying countries) so I think it's fair to say that based upon their inaccurate and 'confusing' blog post that there's something seriously amiss with their data security.

A general note to any other password manager developers out there:

:)

 

1password beta app not working in Windows 10

OT- 1password

I have windows 10 and I was told by 1password that is the only platform 1password beta will work on. I get to the page to load the app and the blue store icon shows up for 10 seconds disappears and won't let me load the app. what is going on?

 

Massive Data Leak?

This is something wrong with the phone or AT&T and they're not saying. I survive on 512
megabytes a month and use 3G data daily on my commute and I average about ~300MB a month. For obvious reasons, I don't stream video or download apps while on 3G though.

 

Online vs offline password managers. You know the difference.

YOU have to make a choice. Convenience vs security. *Nerd

Lastpass has a known serious breach at least once a year.

 

Very true. The only reason I was using 1Password is for convenience so that I could use it on my Android and my Windows PC.

My friend has sent me an article about 1Password having been implicated with leaking metadata on a separate occasion:

1Password Leaks Your Data - myers.io

Apparently 1Password tried to deny that as well and then blamed it's own users for not (manually) converting to the latest data format (despite not telling their users to and that converting it would break compatibility).

*Mad

 

The company shows its true face, when faced with a situation like this.

They will either apologize or at least try to fix it or deny everything or even worse, blame users (Microsoft).

 

It seems like 1Password don't know what they're doing.

One of my friends, a software developer for Apple, said that 1Password didn't understand what was needed on a developer's certificate... despite Apple having told them previously. Then they issued a twee blog post trying to blame Apple for 1Password's own mistake.
AgileBits Blog | Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

So angry it's hard to describe... people are trusting them to provide a secure service yet it's nothing of the sort.

 

Why I use Lastpass myself, the data is encrypted on the local machine the data never leaves your computer in an un-encrypted form. Your encryption key (the password) you use never leaves your computer in any form. Lastpass does not have access to your data as they don't have access to your key. Even if Lastpass' servers are hacked and they download the entire database, unless they have the keys your data is unrecoverable. Lastpass went into detail on how their service works and the security they put into it.

Unless someone here knows how to crack AES without using the key, I would very much like to hear it.

 

If you trust it, good for you, I would never use an online password manager.

Just one of many known examples (most will not make it to public):

LastPass hacked; security compromised for good

No one is going to decrypt passwords, there are thousands ways around.

 

Yes I trust the Lastpass team. When security issues crop up, (there will always be security problems, always some unseen bug) they do not go out of their way to hide, and or deny them. Time after time they have shown they take security seriously and improve upon them when they arise. And again, the password vault is nothing more then an encrypted blob unusable to anyone without the key, Lastpass itself mostly acts as a sync for all your computers/devices to share the same vault.

 

I don't trust the LastPass security team.
"Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap."Tavis Ormandy on TwitterFull report sent to LastPass, they're working on it now. Yes, it's a complete remote compromise. Yes, I promise I'll look at 1Password.

Twitter


That smacks of incompetence. They don't deserve your trust. A security researcher took a quick look and found loads of obvious critical problems including "a complete remote compromise".

LastPass have a bunch of developers working for them yet they didn't spot obvious critical problems. That's not an unseen bug - that's negligence and proves that they don't take security seriously. *Shock

Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site • The Register

 

I see, so you must trust and use nothing then is that right? I can go down a list and find "obvious critical problems" for any piece of software you use. Linux for example had several "obvious critical problems" that went unnoticed for years, they have a bunch of developers, are they negligent?

Look, you don't want to trust them fine that is your prerogative. Its not a question if security vulnerabilities exist for whatever it is you use. The question is how do you response to them. The folks over at Lastpass have shown time and time again they take it seriously and they fix it. Every issue you can pull out of the air have already been fixed.

Here, more information on that very issue: LastPass Security Updates | The LastPass Blog

 

AgileBits is far from at fault here. It’s Cloudflare who stand at the stage of the problem. From what I’ve gathered, the problem in its essence is that their content delivery system, the way it had been designed, would occasionally leak private data sent to it via SSL, undermining their use of HTTPS. “Cloudbleed” it’s being called, and Cloudflare have a technical analysis of the issue on their blog. Of course, the issue has quickly been resolved.

I trust AgileBits’ word when they say that they don’t rely on HTTPS to be secure. They’re password management specialists after all, and 1Password is their primary product and service so you can expect them to be especially focused on stabilising and staying vigilant to the security aspects of their service.

Your sense of trust is galling. If you don’t trust encryption and you heavily value privacy over the information you transmit over the internet, how is it that you’ve signed up with any internet service at all? Encryption is the basis of your safety on the internet. If you don’t trust encryption I’m not sure what technology you were relying on for safety prior to the news. Perhaps it were the terms “SSL” and “HTTPS” that made you feel safe. These protocols themselves are completely encryption oriented. Encryption is an established process.

This was a completely separate incident in which their mistake was hardly a disreputable one. The developers screwed up, got flamed for it, worked tirelessly to resolve the issue. I can sympathise. It happens, you get over it, you move on.

From what I can interpret, they were completely honest about the situation the whole way through: Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

Furthermore, there’s nothing that indicates AgileBits putting blaming on Apple for their own mistake. In fact, if anything, they have drawn closer relations to Apple now as they ensure that the incident doesn’t repeat itself in future.

And that is the best action they could have possibly taken in the circumstances.

By the way, I’m sure Apple doesn’t spend their days going around telling developers how to compose a developer’s certificate. If you’ve got evidence of “Apple having told them previously”, I’d like to hear.

Unless a wave of instances of 1Password users suddenly discovering their login details being compromised begins to surface, I say AgileBits get to keep their established reputability in security for now.

 

You're misunderstanding the principal issue at play here. You simply cannot find "obvious critical problems" (note the plural) in Linux because it's open source. More on that later.

There have been several issues in Linux but not all in the same piece of software and most of which have not been obvious. A minority have been critical and have been quickly repaired by the Linux developers.

The difference between LastPass, 1Password and Linux is that Linux is open source. That means anybody can review the source code and point problems out, submit a fix to the community for approval or just repair their own software. You cannot do that in black box software (LastPass or 1Password); it's illegal - DCMA laws etc.

For one security researcher [Tavis Ormandy] to find "a bunch of obvious critical problems" after "a quick look" is terrible. Tavis is paid by Google so he's not go the time to do a full audit the LastPass code but it disgusts me that a commercial company cannot be bothered to pay independent auditors to take a thorough look at their code. Clearly they don't take security seriously.

With Linux the whole code (not just little bits of it) is open to inspection. Anybody competent can do this for free... and they do because it's part of a community spirit. Very few people will be willing to do this for a commercial company who have the funds and resources to do this themselves. Any problems in Linux have not been that "obvious" because the code has been reviewed thousands if not tens of thousands of times.

Also LastPass and 1Password are a massive target for obvious reasons - they have a repository of passwords that unlock your online life. For these problems to go unnoticed is dire and inexcusable. Look at the two biggest open source, free password managers: KeePass and Password Safe. Neither have any known critical vulnerabilities and both can have their source code inspected.

Linux on the other hand has various distributions, different implementations, other safeguards etc. which make breaking part of it nowhere near as severe as cracking a general purpose password manager. If somebody gets into your password manager the results can be devastating.

Company blogs are normally propaganda pieces to make them look like they're being open and honest when the reality is they're doing damage limitation.

You can bet your bottom dollar that hackers are aware of other/new issues and they won't be reporting them to LastPass to be fixed. And because LastPass don't proactively audit their code (otherwise issues would be found) the hackers will have a field day.

 

I've read Cloudflare's blog and their damage limitation. Let me quote Troy Hunt of Microsoft:

"Firstly, Cloudflare serves an almost unfathomably large amount of traffic. I wrote a course on Getting Started with CloudFlare Security in mid-2015 and they were serving 5 trillion requests a month at that time and I assume much more as of today. The bottom line is that we're looking at millions of requests per month potentially leaking data."

Why didn't Cloudlflare detect this major breach themselves?

But 1Password are not being truthful. They serve the 'Emergency Kit' (which has your unique SRP key inside) over HTTPS. This coupled with your password can be used to get inside your trove of passwords.

As "password management specialists" they didn't perceive this breach would occur and their mitigation doesn't cut it. Nor have they been particularly vigilant otherwise they'd have spotted this before Tavis!

If the company can't even stay the top of their game when it comes to basic stuff (developers' certificates) I must entirely reject the argument that they're "vigilant".

There's a difference between one service being breached and your whole online life being put at risk because of a vulnerability in a password manager. Neither SSL or HTTPS make me feel safe. Actually it's TLS over HTTPS these days.

It's a matter of perspective as I alluded to in my earlier post. A company like 1Password is a massive target because if they're breached then so are all your other passwords.

Of course they're going to suggest they worked tirelessly. People pay them money to stay on top of the latest developments in security so that they (the individual customers) don't have to. They should have pre-empted this and taken appropriate action instead of waiting for something to happen and then doing reactive firefighting.

They've already tried to make it sound like it was a perfectly normal mistake by saying:

"The exact same perfect storm appears to caused our friends at Smile to hit the same rough seas that we had..."

Bullshit. You can't say it's affected other companies so that's okay. There's a monumental difference between some PDF software and a password manager.

How do they communicate with developers then? Of course they tell them of any changes. In this case there is evidence, directly from Apple (which Apple may choose to release in due course), that Apple told them of the changes in response to an earlier service request.

But even if Apple didn't notify them personally the onus still lies with 1Password to keep up-to-date. They are writing security critical software after all.

I'm already hearing anecdotal evidence from colleagues that they (and their companies) won't be renewing subscriptions to 1Password. Those same IT pros won't be recommending 1Password either - they're actively discouraging people from moving towards the service.

1Password have severely damaged any reputation they've built because of these breaches... and it's not the first time. The last time there was a serious issue they played it down by blaming customers for not migrating to a new data format although 1Password didn't think it was necessary to inform customers that they needed to do this and the new format was not compatible with all platforms.