![]() I was confused because this task worked great between my iPhone and my iPad. The second being the fact that I was not able to sync any data (position, bookmarks, notes etc) between the ePubs I currently had on my iOS devices with the Mac version of iBooks. The fact that it ripped my books out of iTunes and didn’t carryover the metadata that I had added to them, and giving all of the books non descriptive titles within the Finder was my first issue. The fun bit is that I know a lot of security-conscious folk who use 1Password and never bothered to look into this sort of thing - I bought it an hour or so ago, and spotted this within minutes.My excitement for iBooks being released on the Mac died when I finally got my hands on it when Mavericks first came out. ![]() The JavaScript bits are solely for the benefit of 1PasswordAnywhere, and therefore this leak is only related to its implementation. I expect most people to regard this as a not particularly serious security issue, but it is at the very least an information leak due to implementation details that needs to be fixed.Įven though the likelihood of these files ever being accessed by anyone else (even over Dropbox) is rather small, I’d rather not have any of that information so easily accessible, and there’s really no excuse considering that everything else related to 1Password (thanks to judicious poking with dtrace and lsof) seems to exclusively use the binary encrypted files inside ~/Dropbox/1Password.agilekeychain/a/default/. Furthermore, it seems that Agile has no schedule for providing a way to disable or improve upon this feature 2, which is annoying because even though I like it a lot I see it as a security flaw on a product that should have none. …but, still, you have to wonder if that information ought to be there at all by default. Open ~/Dropbox/1Password.agilekeychain/1Password.html These are of course, for the benefit of the rather nice self-contained 1PasswordAnywhere web app you can see by doing: Grep http ~/Dropbox/1Password.agilekeychain/data/default/* There are no passwords there, but you’ll find a pretty good descritption of your 1Password’s database contents - site names, for instance, are pretty easy to figure out, and so are (potentially sensitive) URLs - I, for instance, use it to store passwords for private and corporate sites of various descriptions, and found a bunch of them by issuing: Yes, that is a human-readable listing of your 1Password items. They stand by it publicly, and the file data seems to be (mostly) adequately encrypted, but if you do use Dropbox with it, I suggest you issue the following command in a terminal window and ponder its implications:Ĭat ~/Dropbox/1Password.agilekeychain/data/default/contents.js They support Dropbox syncing between Macs and iOS devices. Take 1Password, undoubtedly the best web site login management solution for just about any platform (well, except Linux, but that’s not really relevant). Want some more security issues to make yourself ill at ease?Īfter the Dropbox ruckus, their reply and intermediate fallout, I’ve been patiently reviewing the way I use it - more out of a matter of principle than anything else, since the sensitive info I have there is inside encrypted disk images and the bulk of my data is as public as this site - I just don’t like being lied to, be it deliberately or by omission, and have (together with a few colleagues) been looking at alternatives 1…Ĭue the Sony fracas, and I’ve found enough motivation to rotate all my passwords early and patiently removing credit card details from here and there.Īnd in the process I’ve found some interesting tidbits, not all of them good. 2 min read 1Password and Dropbox (security tweaks wanted).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |