AgileBits 1Password 6.3.3 Multiple Vulnerabilities (macOS)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

A password management application installed on the remote host is
affected by multiple vulnerabilities.

Description :

The version of AgileBits 1Password installed on the remote macOS or
Mac OS X host is equal to 6.3.3. It is, therefore, affected by
multiple vulnerabilities :

- A security weakness exists in the internal web browser
in which the default protocol that is used is set to
HTTP. If a user visits a website without specifying the
full URL, the more secure HTTPS protocol will not be
used even if it is available. A man-in-the-middle
attacker can exploit this to disclose sensitive
information. (SIK-2016-039)

- A security weakness exists in the database of the
password manager due to lack of encryption for titles
and URLs. An attacker who is able to obtain a copy of
the encrypted database can exploit this to disclose the
websites for which the user has stored credentials
without having to break the cryptography. (SIK-2016-040)

- A security weakness exists in the password manager due
to sending the target domain to the vendor's web server
in order to obtain from a server-side cache an icon that
represents the respective target website. This issue
allows the vendor to track all the sites for which the
user has created database entries. (SIK-2016-042)

See also :

Solution :

Upgrade to a version of AgileBits 1Password that is later than 6.3.3.

Risk factor :

Medium / CVSS Base Score : 5.8

Family: MacOS X Local Security Checks

Nessus Plugin ID: 100956 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now