Title:

Titles and URLs Not Encrypted in 1Password Database

Report ID

SIK-2016-040

Summary:

• Vendor: AgileBits
• Product: 1Password – Password Manager
• Affected Version: 6.3.3
• Severity: medium
• Short summary:

In the database of the password manager, the titles and URLs of website entries are not encrypted.

Details:

In the database of the password manager, the titles and URLs of website entries are not encrypted. An attacker who is able to obtain a copy of the encrypted database can thus extract the websites for which a user has stored credentials without having to break the cryptography or exploit any other vulnerability.

Leaking the URLs can, depending on the website (forums of political parties, sites on special medical conditions, bankruptcy, homosexuality, etc.), lead to privacy issues and expose sensitive information on the user’s browsing and personal interests / orientations.

Workaround

Users should not enter the real URLs or names of the services they use before the vulnerability has been fixed.

Suggested Mitigation

The password manager should not only encrypt the credentials (username and password), but also all metadata including the names and URLs of password database entries.

Timeline

• 2016-09-01 Vulnerability Reported.
• 2016-09-27 Fixed