AgileBits 1Password 6.3.3 Multiple Vulnerabilities (macOS)

Medium Nessus Plugin ID 100956


A password management application installed on the remote host is affected by multiple vulnerabilities.


The version of AgileBits 1Password installed on the remote macOS or Mac OS X host is equal to 6.3.3. It is, therefore, affected by multiple vulnerabilities :

- A security weakness exists in the internal web browser in which the default protocol that is used is set to HTTP. If a user visits a website without specifying the full URL, the more secure HTTPS protocol will not be used even if it is available. A man-in-the-middle attacker can exploit this to disclose sensitive information. (SIK-2016-039)

- A security weakness exists in the database of the password manager due to lack of encryption for titles and URLs. An attacker who is able to obtain a copy of the encrypted database can exploit this to disclose the websites for which the user has stored credentials without having to break the cryptography. (SIK-2016-040)

- A security weakness exists in the password manager due to sending the target domain to the vendor's web server in order to obtain from a server-side cache an icon that represents the respective target website. This issue allows the vendor to track all the sites for which the user has created database entries. (SIK-2016-042)


Upgrade to a version of AgileBits 1Password that is later than 6.3.3.

See Also

Plugin Details

Severity: Medium

ID: 100956

File Name: macosx_agilebits_1password_multiple_vulns_01.nasl

Version: $Revision: 1.1 $

Type: local

Agent: macosx

Published: 2017/06/21

Modified: 2017/06/21

Dependencies: 100960

Risk Information

Risk Factor: Medium


Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N


Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:agilebits:1password

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, installed_sw/1Password

Patch Publication Date: 2016/09/27

Vulnerability Publication Date: 2016/09/27