1Password iOS has privacy problems? because the deleted data is not really deleted.

Discussion in 'iOS 11' started by greattrika, Mar 17, 2018.

  1. greattrika, Mar 17, 2018
    Last edited: Mar 17, 2018

    greattrika macrumors member

    greattrika

    Joined:
    Dec 21, 2017
    #1
    Hello users,

    I have found a possible privacy problem:

    https://www.reddit.com/r/ios/comments/853aj1/1password_ios_does_not_completely_delete_the/

    Here a other users discusses with a 1password member
    https://discussions.agilebits.com/discussion/comment/417440

    I can reproduce this problem, what the users mean. if you delete logins etc. they are not really deleted.
    but are in the trash, which is not visible in the iOS version. only visible on the desktop version.

    Here easy tutorial, how can you see this:
    1. Create a login under 1Password iOS.
    2. Delete the login.
    3. Sync this vault from 1Password iOS with the 1Password macOS or OS X e.g. via Dropbox, iCloud Drive or Wifi Sync.
    4. You can see in the 1Password macOS/OS X the login is not deleted. The login is in the trash.


    What do you say?
     
  2. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #2
    The data on iOS is not accessible. As long as your master password is secure, there isn’t a problem.
     
  3. MacDawg macrumors Core

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #3
    I say if someone successfully hacks your Vault file or steals your iPhone (and gains access to it) you have bigger problems than deleted logins in the trash bin of 1Password
     
  4. NoBoMac macrumors 68000

    Joined:
    Jul 1, 2014
    #4
    This.

    If the passcode on your device is so weak in addition to a weak passcode for you password file, you got bigger problems and it is all on you.

    Eg. my phone has a alpha-numeric, mixed case, special characters 12 character passcode. My password file (mSecure) is a char 24 in length and setup to make a dictionary crack difficult.

    Too lazy to dig into 1Password sync mechanism now, but if like mSecure, I am syncing via Dropbox, which is encrypted at rest, password is random 25 char mixed, special, digits. Two-factor authentication on. Password file is encrypted locally with 256 bit AES before sending. In other words, lots of encryption/security to get through. If you have weak passcodes, you get what you deserve.
     
  5. ddrulez macrumors regular

    Joined:
    Dec 12, 2012
    Location:
    Germany
    #5
    Use a strong Master password to protect your logins.
    I can't see a problem here. Passwords in trash are outdated as well and not in use anymore.
     
  6. AppleMatt macrumors 68000

    AppleMatt

    Joined:
    Mar 17, 2003
    Location:
    UK
    #6
    I agree with you. If the app leads the user to believe they are or have deleted their data, but in fact they have not, that's not cool. Good find!

    AppleMatt
     
  7. mailbuoy macrumors member

    mailbuoy

    Joined:
    Jan 16, 2014
    Location:
    Davidsonville, MD
    #7
    It seems to me that this is much ado about nothing.

    Quoting Brent, AgileBits Team Member, in the discussion referenced by OP:

    "What "cracked vault"? All of this data is encrypted in 1Password, whether or not it's in the vault, in the Trash, or the fully deleted data is on disk because you haven't secure erased the whole thing, and the only way anyone can do anything with it is if you give them your Master Password, or use one that is easily guessable."

    So, if I understand correctly, 1Password data deleted from a vault goes to the 1Password trash can, which you can't see on the iOS version. But, it is still encrypted the same as when it was in the vault. So, it is as secure as all the data you originally entrusted to 1Password in the first place.

    If I am correct, I don't really see the issue. And, if I am wrong I am sure I will learn that soon! :)
     
  8. chabig macrumors 603

    Joined:
    Sep 6, 2002
    #8
    You are correct. There is no issue here.
     
  9. BasicGreatGuy, Mar 18, 2018
    Last edited: Mar 18, 2018

    BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #9
    I think the OP was reading Reddit and came across the story, or the OP is the author of the posts on 1Password and Reddit, didn't like the answers, and wanted to continue on with the supposed problem in another venue. Either way, it is a non-issue.

    And as Paul Harvey used to say, "Now you know the rest of the story."
     
  10. worldwideRi, Mar 18, 2018
    Last edited: Mar 18, 2018

    worldwideRi macrumors newbie

    Joined:
    Mar 18, 2018
    #10

    Why has the Mac version a trash, but the iOS not?

    This isn't about encryption/cracked vault! it's about proper deletion.

    Tell me why the 1Password iOS version says delete, but the Mac version says move to trash?

    In the Mac version it is explained correctly. But in the iOS version it is wrong name function delete =! move to the trash (it remains always in the trash). If it says delete, then it must be deleted. Everything else is confusion

    I don't like it either. anyone who knows now can work it out.

    imagine you have deleted hundreds of logins, notes etc.. in the last years, but then you are forced to give out your password, otherwise you will kill your family.

    Then they do it, and the bad people transfer the vault file (e.g via 1Password Wi-Fi sync) to the 1Password Mac version. and then you see in the trash the old logins that were never deleted. you could create a complete profile of this person. if you find old documents, diaries, logins from old forum pages and so much more...
     
  11. chabig macrumors 603

    Joined:
    Sep 6, 2002
    #11
    The developer says that's just the way it's been made. They might change it in the future but it's not high priority. The OP was concerned about privacy. This UI "confusion" in no way exposes private information, so there is no security risk.

    LOL! You've got to think bigger! Image Dr. Evil threatens a nuclear attack on millions of people unless you hand over your master password...
     
  12. Nikiforidis macrumors regular

    Joined:
    Jul 1, 2017
    #12
    I agree with the OP and worldwideri.

    While the data stays in your account encrypted and protected by the master password there are few privacy issues here. What if I want to show or check out some log in or data in 1Password with family (parents, brothers/sisters, wife/husband etc) and they see that old data (don't forget that 1Password is not only about log in there are secure notes as well)? After all when you press the "Delete" button you expect the data to be deleted not transfer to a hidden folder that can be accessed on the computer.

    I saw a reply from one of their guys saying something like "Yea it's bugged but its very complex to fix, we will sort it out later". In my point of view it's unacceptable for that kind of app to have bugged the delete function. From the point of view that it's an app that millions use, apple named it app of the year or editors choice and from the point of view that this function is one of the basics in this kind of apps(add/edit/move/delete). Not to mention the high price they charge you monthly if you subscribe.
     
  13. NoBoMac macrumors 68000

    Joined:
    Jul 1, 2014
    #13
    ...Or... ONE MILLION DOLLARS!

    I know a guy that has a very particular set of skills, I'll give him a ring if this should materialize.
     
  14. MacDawg macrumors Core

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #14
    I've used 1Password for years
    I just checked and I have 86 deletions in my Trash on my Mac
    And I left them there, wasn't even bothered enough to empty the trash
    I'm seriously not worried about anyone trying to access my deleted files, nor am I concerned someone will threaten my family to get in my 1Password trash
     
  15. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #15
    If you are a 1Password subscriber, any deleted items are available for 365 days. Just throwing that out, for those that don't know.
     
  16. AppleMatt macrumors 68000

    AppleMatt

    Joined:
    Mar 17, 2003
    Location:
    UK
    #16
    Yes I agree that there's no material security issue (or that I can think of). My point really is that a user should be able to delete their data - both in and of itself as a concept, but moreso when the app leads them to believe they have deleted that data. Because it's their data to do with as they please.

    AppleMatt
     
  17. greattrika thread starter macrumors member

    greattrika

    Joined:
    Dec 21, 2017
    #17
    Absolutely correct.

    We can now monitor our unsuspecting families and children.
    The children use the 1password iOS version and synchronize it via icloud drive or dropbox. and the parents make on the mac version.

    so you can watch our children and everything they want to delete or hide ends up in the trash. the good thing is, the children think it would be deleted, because there under 1Password iOS version the word "delete" is written. Although in truth only in a hidden folder (trash) is moved.

    this is absolutely misleading and in this case a privacy problem for the children.
     
  18. ddrulez macrumors regular

    Joined:
    Dec 12, 2012
    Location:
    Germany
    #18
    It's still encrypted and not reachable for anyone else than the one how make the password?

    Do I miss something here?
     
  19. MacDawg macrumors Core

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #19
    Sweet mother, the paranoia is strong in this thread
     
  20. NoBoMac macrumors 68000

    Joined:
    Jul 1, 2014
    #20
    Ok, this is totally off the rails.

    For this to be a thing, everyone needs to start off sharing the same password file, where EVERYONE can see what passwords are in there to begin with. And now we are supposed to be concerned about someone seeing the deleted password from the file that EVERYONE could see all the passwords from the beginning?!

    And if parents are making their children save to a password file the parents can view, GREAT! The parent's house, their rules. And they are checking up on their kids to make sure they are not getting into anything nefarious. Once the kids are of legal age and move out on their own, then they can have their own password file with their own master key.

    Not missing anything. As MacDawg said, "the paranoia is strong in this thread".
     
  21. Mr. Heckles macrumors 6502

    Mr. Heckles

    Joined:
    Mar 20, 2018
    Location:
    Around
    #21
    How is this a privacy issue? You’re the only one who has access to the vault. It’s not like AgileBits can see deleted files.
     

Share This Page