search

scramblr / 1password

1Password Historical Releases
18 stars 4 forks source link

security audit report (code review) #2

Open Alino opened 4 months ago

Alino commented 4 months ago

I have voluntarily reviewed the files that could potentially contain backdoors or security issues. https://github.com/scramblr/1password/pull/1

My methodology was to compare my own local 1password extension files which I have originally downloaded from 1Password website maybe more than year ago with files in this repo and inspecting the diff for any harmful things.

Here is my report:

injected.min.js - no diff other than a new line removed at the end of the file

global.min.js - same as above

ext/sjcl.js - same as above

manifest.json - the extension key and update_url has been modified. update_url old value -> https://cdn.agilebits.com/dist/1P/ext/autoupdate_chrome4.xml update_url new value -> https://clients2.google.com/service/update2/crx the new update_url belongs to google. This might be potential security issue if you don't trust the author about future updates. Because the extension could get automatically updated - potentially with bad code from google's chrome store by the owner of private keys of this modified extension.

solution: remove key and update_url from manifest so that you disassociate the extension from the authors private key.

Otherwise looks safe, as the original one. With no weird changes.

It's still broken at this point.

image

I kind of wonder if it's possible to fix this on the browser extension side. It might be possible that the latest version of 1Password 7 desktop app contains code that denies the communication with browser extension. I have went a bit thought the code and it seems to me that it's trying to connect to the desktop app and fails with no reason provided by 1Password.

If someone has older desktop version they might try.

I might migrate from 1Password to Enpass though.

scramblr commented 3 months ago

Yeah this has been my biggest hesitation on this project is taking on the "ownership" of trust in repackaging a product that's essentially not mine, but one that I'm archiving. I wanted to try and take an approach of finding the hashes and then everything would fall in to place, but it's obviously not that easy. I believe that archiving and maitaining the archives is the way to go, and that future development is absolutely "At Your Own Risk" With lots of caution tape, etc. ;)

Cheers