Don't go to Electron unless you can promise 100% security

Following this.

1P_Rob what 3rd party libraries not produced by an OS vendor does 1 Password 7 for Mac use? Do those libraries access the unencrypted passwords?

You're making me doubt the security of any version of 1Password if it uses non-OS vendor random 3rd party libraries which you can't verify are secure.

While I haven't used Electron a quick search found lots of articles about its vulnerabilities.

Hey, @trinko. Electron packages up the UI for 1Password 8 for Mac. So when you're 1Password to fill forms in your browser, Electron is not involved. When you view a password in 1Password 8 for Mac, though, yes, Electron "sees" it, similar to the way that Safari or your browser of choice "sees" your password when you fill it in a website. As @dougl said above,

Any modern app uses third party libraries and are exposed to supply chain attacks. Those attack surfaces vary depending on the particular framework. Unless you're going to write low-level direct API code, there's always an intermediate code base that's at risk.

The question is how much risk, and that's worth having the conversation about.

There is a lot of other third-party code we use that has the opportunity to "see" passwords and other secrets. This is the nature of software engineering, and all third party code has to be vetted carefully.

If you haven't watched Mitch's talk, I think it would really help answer some of your questions. Unfortunately, even though Roustem linked to the correct start time for Mitch's part, it didn't show up that way for me when the forum software here embedded it, so if you want to watch it, click through to YouTube itself and go to about 1:25:10, or copy and paste this link: https://www.youtube.com/watch?v=_P6qI4ahBVk&t=5110s.

When I access a website and have 1Password fill in the password will that password pass through functionality provided by Electron?
That would be done by the browser extension using the API that provided by the browser. Apple provides documentation for Safari. 1Password browser extension runs within the browser itself and they do not use Electron.

Now I'm really confused. If Electron is your UI how can it not have access to the data? If I look at a password won't that mean that Electron sees it?

Further if I can hack Electron can't I get it to display passwords even when the user doesn't ask for them to be displayed?

We have a proven track record of having independent audits, running a bug bounty program, as well as disclosing and fixing security issues when they occur.

You also had a proven track record of building kickass Mac UIs, which you are completely jeopardizing right now :(

Hi @trinko,

How do you quote a comment in a reply? I don't see how to do that but folks are doing it so it must be possible.

I usually do that by starting the quoted text with > character. It is the one of the features provided by the Markdown formatting.

When I access a website and have 1Password fill in the password will that password pass through functionality provided by Electron?

That would be done by the browser extension using the API that provided by the browser. Apple provides documentation for Safari. 1Password browser extension runs within the browser itself and they do not use Electron.

I hope that helps!

roustem I wasn't being clear. Sorry. When I access a website and have 1Password fill in the password will that password pass through functionality provided by Electron?

Perhaps I misunderstand how you're using Electron. Isn't it providing your interface to other Apps like Safari? Also when I reveal the password so I can look at it won't the password be passing through Electron?

If so then a hack in Electron will provide access to all my passwords.

How do you quote a comment in a reply? I don't see how to do that but folks are doing it so it must be possible.

Thanks for any info.

Anyone who "promises 100% security" is selling snake oil. Security is a moving target.

He's not wrong guys, anyone who says they can do anything 100% of the time is a dirty liar. ESPECIALLY in security/IT/software. That being said electron apps have been exploited before and it's code now they can't control. ¯_(ツ)_/¯ we will see.

What we can promise is that we take security seriously

I feel like you believe what you're saying, but if that were really true you wouldn't be dropping support for standalone vaults in version 8 or switching to a framework that has a poor security record and a history of enabling RCEs.