Funkenstrahlen Podcasting, Netzpolitik, App-Entwicklung

1Password leakt Metadaten

Dale Myers erklärt in einem Blogpost, wie eure 1Password Keychain Metadaten über alle eure Logins leakt.

The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.

Das liegt am Agile Keychain Format und lässt sich glücklicherweise recht einfach beheben, indem ihr auf das OPVault Format umstellt.

Das Problem ist schon seit März 2013 bekannt. Hier findet ihr die Diskussion dazu im Agilebits Forum.

Update:

AgileBits äußert sich zum Thema:

Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.

Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain. We want to reassure users that rely on AgileKeychain that their password data is safe and secure, and take the time to walk through our data formats to explain the issue completely.