About the issue
An issue was discovered in 1Password for Mac 7.2.3.BETA-0 through 7.2.3.BETA-2. A mistake in error logging resulted in instances where sensitive data passed from Safari to 1Password could be logged locally on the user’s machine. That data could include usernames and passwords which a user entered into Safari.
The bug was discovered internally on December 3, 2018, and 7.2.3.BETA-3 was released the same day which removed the erroneous logging statement. Version 7.2.3.BETA-4 was released later that day, and included code which removed the log files themselves. We delayed public notification until sufficient time had passed for 1Password beta users to install 7.2.3.BETA-4, which removes the logs.
This issue is listed under the Common Vulnerability Enumeration (CVE) CVE-2018-19863.
Who may be affected
The incorrect logging was only present in 1Password for Mac beta versions 7.2.3.BETA-0, 7.2.3.BETA-1, and 7.2.3.BETA-2. 7.2.3.BETA-0 was released on November 2, 2018. A fixed version was released on December 3, 2018.
The incorrect error logging was in a component that was handling communication from the Safari web browser. Information travelling from 1Password to Safari was not affected. The logging was triggered by various error conditions, so only a portion of messages from Safari to 1Password were written to logs.
To be among those potentially affected, all the following conditions must apply:
- Use one of the affected beta versions of 1Password for Mac: 7.2.3.BETA-0, 7.2.3.BETA-1, or 7.2.3.BETA-2.
- And use 1Password in Safari.
- And have entered information directly into login forms in Safari instead of using 1Password to fill the information.
Impact and exploitability
Affected users may have had some information which they entered into Safari written to disk in these logs. That data may include username and passwords that were being transmitted from Safari to 1Password. Information filled by 1Password would not have been included in the logs. A malicious actor or process with full (non-sandboxed) user read access to the user’s disk would have been able to read the log files and extract logged secrets.
Recommended actions
Those using affected beta versions of 1Password for Mac should update to 1Password 7.2.3.BETA-4 or later, which will remove any logs that may contain user secrets.
Those who want to verify that no secrets remain in log files may inspect the content of any files in the folder:
~/Library/Containers/com.agilebits.onepassword7.1PasswordSafariAppExtension/Data/Library/Logs/1Password
These log files are not typically included in most backups.
Commentary
First of all, we apologize for this bug. It is not the kind of bug that should appear in a product that people rely on to protect their privacy and security. There are numerous stages at which we should have prevented this bug from ever getting as far as it did.
We understand that the 1Password apps handle user secrets, and we understand that any logging action – even if only local to the user’s machine – could potentially write user secrets to disk. Built on that awareness, we have procedures and policies in place to prevent such inappropriate logging. Those procedures and policies failed in this case. We are therefore investigating additional procedures and policies as well as mechanisms that would more effectively enforce policies.