1Password and Dropbox (security tweaks wanted)

Want some more security issues to make yourself ill at ease?

After the Dropbox ruckus, their reply and intermediate fallout, I’ve been patiently reviewing the way I use it - more out of a matter of principle than anything else, since the sensitive info I have there is inside encrypted disk images and the bulk of my data is as public as this site - I just don’t like being lied to, be it deliberately or by omission, and have (together with a few colleagues) been looking at alternatives1

Cue the Sony fracas, and I’ve found enough motivation to rotate all my passwords early and patiently removing credit card details from here and there.

And in the process I’ve found some interesting tidbits, not all of them good.

Take 1Password, undoubtedly the best web site login management solution for just about any platform (well, except Linux, but that’s not really relevant). They support Dropbox syncing between Macs and iOS devices. They stand by it publicly, and the file data seems to be (mostly) adequately encrypted, but if you do use Dropbox with it, I suggest you issue the following command in a terminal window and ponder its implications:

cat ~/Dropbox/1Password.agilekeychain/data/default/contents.js

Yes, that is a human-readable listing of your 1Password items. There are no passwords there, but you’ll find a pretty good descritption of your 1Password’s database contents - site names, for instance, are pretty easy to figure out, and so are (potentially sensitive) URLs - I, for instance, use it to store passwords for private and corporate sites of various descriptions, and found a bunch of them by issuing:

grep http ~/Dropbox/1Password.agilekeychain/data/default/*

These are of course, for the benefit of the rather nice self-contained 1PasswordAnywhere web app you can see by doing:

open ~/Dropbox/1Password.agilekeychain/1Password.html

…but, still, you have to wonder if that information ought to be there at all by default. Furthermore, it seems that Agile has no schedule for providing a way to disable or improve upon this feature2, which is annoying because even though I like it a lot I see it as a security flaw on a product that should have none.

I expect most people to regard this as a not particularly serious security issue, but it is at the very least an information leak due to implementation details that needs to be fixed.

Even though the likelihood of these files ever being accessed by anyone else (even over Dropbox) is rather small, I’d rather not have any of that information so easily accessible, and there’s really no excuse considering that everything else related to 1Password (thanks to judicious poking with dtrace and lsof) seems to exclusively use the binary encrypted files inside ~/Dropbox/1Password.agilekeychain/a/default/.

The JavaScript bits are solely for the benefit of 1PasswordAnywhere, and therefore this leak is only related to its implementation.

The fun bit is that I know a lot of security-conscious folk who use 1Password and never bothered to look into this sort of thing - I bought it an hour or so ago, and spotted this within minutes.

  1. cue my usual (and seldom recently used) disclaimer… 

  2. they do, to their credit, have some solid thinking and plans for improving other security aspects of the app.