SIK-2016-042


Title:

Privacy Issue, Information Leaked to Vendor 1Password Manager

Report ID

SIK-2016-042

Summary:

  • Vendor: AgileBits
  • Product: 1Password – Password Manager
  • Affected Version: 6.3.3
  • Severity: low
  • Short summary:

When the user creates a new entry containing credentials for a website, the respective target domain is leaked to the vendors’ web server.

Details:

When the user creates a new entry containing credentials for a website, the respective target domain is sent to the vendors’ web server in order to obtain an icon for the respective site. While this allows the user to see the sites icon in addition to the name, it also means that the vendor of the password manager knows all sites for which the user has created database entries. Theoretically, clustering is possible by matching IP addresses.
It is unclear why the password manager uses a server-side cache for the icons instead of directly downloading the icons from the respective target sites just as a browser would do it.

If the user stores credentials for privacy-sensitive sites, the vendor can identify personal interests or affiliations of the user, e.g., if has an account on the forum of a political party.

Workaround

None available.

Suggested Mitigation

The password manager should not leak any information about stored web sites to the vendor. For displaying icons, the app should directly download the icon file from the respective web site just like a browser would do it.

Timeline

  • 2016-09-01 Vulnerability Reported.
  • 2016-09-27 Fixed