Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security audit report (code review) #2

Open
Alino opened this issue Jul 15, 2024 · 1 comment
Open

security audit report (code review) #2

Alino opened this issue Jul 15, 2024 · 1 comment

Comments

@Alino
Copy link

Alino commented Jul 15, 2024

I have voluntarily reviewed the files that could potentially contain backdoors or security issues.
#1

My methodology was to compare my own local 1password extension files which I have originally downloaded from 1Password website maybe more than year ago with files in this repo and inspecting the diff for any harmful things.

Here is my report:

injected.min.js - no diff other than a new line removed at the end of the file

global.min.js - same as above

ext/sjcl.js - same as above

manifest.json -
the extension key and update_url has been modified.
update_url old value -> https://cdn.agilebits.com/dist/1P/ext/autoupdate_chrome4.xml
update_url new value -> https://clients2.google.com/service/update2/crx
the new update_url belongs to google.
This might be potential security issue if you don't trust the author about future updates. Because the extension could get automatically updated - potentially with bad code from google's chrome store by the owner of private keys of this modified extension.

solution: remove key and update_url from manifest so that you disassociate the extension from the authors private key.

Otherwise looks safe, as the original one. With no weird changes.

It's still broken at this point.

image

I kind of wonder if it's possible to fix this on the browser extension side. It might be possible that the latest version of 1Password 7 desktop app contains code that denies the communication with browser extension. I have went a bit thought the code and it seems to me that it's trying to connect to the desktop app and fails with no reason provided by 1Password.

If someone has older desktop version they might try.

I might migrate from 1Password to Enpass though.
@scramblr
Copy link
Owner

scramblr commented Aug 7, 2024

Yeah this has been my biggest hesitation on this project is taking on the "ownership" of trust in repackaging a product that's essentially not mine, but one that I'm archiving. I wanted to try and take an approach of finding the hashes and then everything would fall in to place, but it's obviously not that easy. I believe that archiving and maitaining the archives is the way to go, and that future development is absolutely "At Your Own Risk" With lots of caution tape, etc. ;)

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Alino @scramblr