AgileBits 1Password 6.3.3 Multiple Vulnerabilities
Medium Nessus Plugin ID 100955
SynopsisA password management application installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe version of AgileBits 1Password installed on the remote Windows host is equal or prior to 6.3.3. It is, therefore, affected by multiple vulnerabilities :
- A security weakness exists in the internal web browser in which the default protocol that is used is set to HTTP. If a user visits a website without specifying the full URL, the more secure HTTPS protocol will not be used even if it is available. A man-in-the-middle attacker can exploit this to disclose sensitive information. (SIK-2016-039)
- A security weakness exists in the database of the password manager due to lack of encryption for titles and URLs. An attacker who is able to obtain a copy of the encrypted database can exploit this to disclose the websites for which the user has stored credentials without having to break the cryptography. (SIK-2016-040)
- A security weakness exists in the password manager due to sending the target domain to the vendor's web server in order to obtain from a server-side cache an icon that represents the respective target website. This issue allows the vendor to track all the sites for which the user has created database entries. (SIK-2016-042)
SolutionUpgrade to a version of AgileBits 1Password that is later than 6.3.3.