SIK-2016-039


Title:

Https downgrade to http URL by default in 1Password Internal Browser

Report ID

SIK-2016-039

Summary:

  • Vendor: AgileBits
  • Product: 1Password – Password Manager
  • Affected Version: 6.3.3
  • Severity: high
  • Short summary:

In the internal web browser, the default scheme is set to HTTP. If the user thus visits a web site without specifying the full URL, e.g., only “google.com”, the password manager will redirect the user to “http://google.com”.

Details:

In the internal web browser, the default scheme is set to HTTP. If the user thus visits a web site without specifying the full URL, e.g., only “google.com”, the password manager will redirect the user to “http://google.com”. This means that even for services that support HTTPs, this protection is not used by default.

If users are redirected to HTTP sites by default instead of HTTPs (which is default in most browsers nowadays), their data can be intercepted, the remote web site is not authenticated and there is no integrity protection.

Workaround

Users should always enter full URIs including the scheme when visiting websites in the password manager’s internal web browser.

Suggested Mitigation

When extending the web address the user has entered to a full URI (which is already happening inside the code of the password manager), opt for a default standard. Instead of explicitly prepending “http://” (which is what currently happens inside the app), prepend “https://” and only fall back to “http://” if the remote server does not support TLS/SSL.

Timeline

  • 2016-09-01 Vulnerability Reported.
  • 2016-09-27 Fixed