About the issue
An issue was discovered in 1Password Secrets Automation that may affect anyone who created a Secrets Automation workflow before September 8, 2021. Workflows created before that date allowed someone with knowledge of the issue, ability to reverse engineer the 1Password.com web app frontend, and permission to view the workflow to also fetch its credentials and impersonate it.
The issue was discovered internally in August 2021, and we have not received any indication this bug has been misused. We introduced mitigations to reduce the attack surface of the bug in August 2021, and released further fixes on 1Password.com on and before September 8, 2021. We are providing affected users a way to identify affected vaults and fix the permissions.
Who may be affected
Anyone who has created a Secrets Automation workflow before September 8, 2021, may be affected. You are affected by this issue specifically if all of the following applies:
- You use 1Password Teams or 1Password Business
- You provide users access to your workflows, while restricting their permissions, so they can’t issue Secrets Automation tokens
- The users you have provided this access to are not able to access the vaults in the workflow with the access of their own user account
You are also affected if you currently don’t have Secrets Automation workflows set up this way but have in the past.
Recommended action
Step 1: Fix permissions in your workflow
Before you can fix the permissions in your workflows, you’ll need your 1Password sign-in address. For example: agilebits.1password.com, example.1password.com.
If you don’t know your sign-in address, go to https://start.1password.com/signin/team, click “Find my account”, and enter the email address associated with your account. You can also find your sign-in address in your Emergency Kit.
Then visit the following address, replacing <sign-in-address> with your sign-in address, and click “Fix now”:
https://<sign-in-address>/developer-tools/review-connect
From now on, the issue cannot continue to be exploited in any of your workflows.
In some cases permissions have been fixed automatically. If they have been fixed automatically, or after you have previously applied the fix yourself, you should instead see the following message on this page:
If you see the message above, you may proceed to Step 2.
Step 2: Recreate workflows that may have been exploited
After you fix the permissions for your workflows, you can delete and recreate ones that you believe were at risk of being misused before the fix.
To help you review workflows that may have been at risk, your dashboard shows a list of your workflows created before September 8, 2021. Users that were able to view these workflows were theoretically able to obtain the credentials of these Secret Automations. To do this, they required the ability to reverse engineer the 1Password.com web app frontend and permission to view the workflow to also fetch its credentials and impersonate it.
The way to review access to the workflows depends on which product you’re using:
- 1Password Teams: Check to see if the Team Members group has or had access to the Secrets Automation.
- 1Password Business: You can use the Activity Log as well as the Secrets Automation usage log available on the dashboard.
If you believe that a Secrets Automation workflow has been at risk of having been exploited in the past, delete and recreate it.
If you use the 1Password command-line tool
If you use the 1Password command-line tool to manage your Secrets Automations, upgrade it to version 1.11.4 or later. Although there is no security impact for the 1Password command-line tool in this advisory, versions 1.11.3 and earlier can no longer be used to manage Secrets Automations for compatibility reasons.
To check your version, run op --version.
Impact and exploitability
1Password Secrets Automation is a feature IT administrators use in their own networks to automate using secrets stored in 1Password in the maintenance and development of their IT infrastructure and applications. This bug doesn’t affect anyone that doesn’t use 1Password Secrets Automation.
This issue allows users that have restricted access to a Secrets Automation to bypass those restrictions. For example, suppose you have a 1Password account with 10 vaults, and a Secrets Automation workflow is configured to provide access to 3 of them: Foo, Bar, and Baz. Suppose that user Alice only has access to vault Foo but is able to view the workflow. Alice can then obtain the credentials for that workflow and use that to access Foo, Bar, and Baz – all 3 vaults the workflow may access. To do this, Alice must manually inspect the internal state of the 1Password web app in a way that is not offered by the user interface as well as use the obtained data in ways that are not offered by 1Password products. Exploitation of this bug is highly technical in nature, and we have not received any indication this bug has been misused.
Users that are able to view Secrets Automation workflows in many circumstances already have a certain level of privileged access – usually these privileges are limited to a set of IT administrators. Nonetheless, within this group many will want to enforce a principle of least privilege when managing Secrets Automations. This issue can be used to circumvent enforcement of that principle.
This issue does not allow extending access to vaults beyond what the Secrets Automation workflow was configured to access. In the example above, it did not allow Alice to access the remaining 7 vaults that were inaccessible to the Secrets Automation.
Commentary
This issue bears a strong resemblance to a previous security advisory published for 1Password Secrets Automation, and we believe that this similarity comes from the same causes. We are actively reviewing our implementation to make sure that issues of this nature are no longer present. We have and will continue to work with internal and external audits to find and prevent security bugs in Secrets Automation. Moreover, as noted in the previous issue, we are considering more extensive changes to Secrets Automation authentication with enhanced resilience against similar issues.