SIK-2016-041


Title:

Read Private Data From App Folder in 1Password Manager

Report ID

SIK-2016-041

Summary:

  • Vendor: AgileBits
  • Product: 1Password – Password Manager
  • Affected Version: 6.3.3
  • Severity: medium
  • Short summary:

The built-in web browser allows files from the app’s private data directory to be extracted. This also allows access to the database file and the file containing the app’s shared preferences.

Details:

The built-in web browser allows files from the app’s private data directory to be extracted. This also allows access to the database file and the file containing the app’s shared preferences. Technical background: The internal browser does not restrict access to the “file:///” scheme. An attacker can thus specify arbitrary paths on the phone to which the app has access and the browser will display or offer the respective file for download. Since the app has full access to its own private data folder, this effectively circumvents Android’s app isolation model.

Obtaining access to the app’s private data directory enables some of the other attacks described in this advisory. It unnecessarily bypasses the additional security provided by Android’s app isolation model.

Workaround

None available.

Suggested Mitigation

The password manager should check entered URIs and make sure that either the complete “file:///” scheme or at least the sensitive files of the app are blocked.

Timeline

  • 2016-09-01 Vulnerability Reported.
  • 2016-09-27 Fixed