I'm interested in 1password, mostly because of the automation options via the connect server. So I started reading and reading, including security audit reports. In the last security audit handled by cure53, there is a 'high' described as follows: 1PW-18-003 WP2: Windows malware can trivially backdoor .html and .js (High) This security audit took place end of 2021. At that time, 1 password commented the following: [...] 1Password wants to get those trade-offs just right before they roll out a fix. Another solution mentioned in the security audit report, is the use of an .msi, which actually installs in a much more secure location. Almost 7 months later, I can see this issue is still not fixed in the normal installer. Neither a .msi available for 1password 8. In this community I can find questions asking for this .msi since november 2021. I'm very curious why this "high" issue is still not fixed and why the workaround of the .msi isn't still available. Mostly, because backdooring of 1password 8 on Windows is so trivial, it's even described in detail in the public report. What am I missing here? 1Password Version: 8 Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided Referrer: forum-search:https://1password.community/search?Search=cure53

For anyone interested, the security audit report can be found here: https://bucket.agilebits.com/security/Cure53-1PW18-report.pdf

Go to https://1password.com/downloads/windows/ and change download link from exe to msi for example MSI package

Hi @ArjenvT, thanks for these questions. 👋 Since some of these pertain to the security design of 1Password, I'm going to loop in our security specialists. You'll either be hearing from them directly here, or I'll pass along the information they've provided once I've had a conversation with them (whichever comes first). In the meantime, I can say that an MSI installer is indeed coming. I can't share much in the way of details until the release happens, but as you've noted we've been working on this for some time and we understand it's important to provide this. This is a priority for us and we've been putting the time into it accordingly. It's on the way. Thanks for your patience, and I'll hope to have more for you soon. ref: dev/core/core#5597

Hey 1P_PeterG - over 3 months have passed and I didn't get any update. Any news on this topic?

Hello @ArjenvT, Thanks for your message and I'm for the delay in response here. I've reached out to the security team for an update to your original inquiry. Software installed to a protected directory requires user interaction to install updates so we install to a non-protected directory to ensure we can keep our software updated automatically without user interaction. There is obviously a security trade off in that decision, which is called out in the referenced pentest report. As a result of that report, we have created new installers (MSI) that can be used by enterprise clients to install software in protected directories while also allowing them to manage security updates in their own time. We are working on a similar solution for our non-enterprise customers, which we hope to have available in 2023 but we do not have an exact deadlines at this moment. In the meantime, should this apply and you'd like to try out an MSI, send an email message addressed to support+windows@1password.com and we'd be happy to help look into this further with you. Have a great day!

Why does 1password still install to the user’s local application directory?

16 Replies

Former Member
3 years ago
Thanks for the update.

In all honesty, it does sound a bit strange, but there are so many applications using trusted/protected installation locations and still offer acceptable update notifications like: "hey, there is an update, you should download this".

One of these applications is notepad++.

Another thing is an important downside of using the .msi, which is you apparently do not get notified of updates in the first place, which I think makes this option pretty unusable for the average home user in the first place. It would really help to at least get a simple check if the running version is actually the latest version available.

All together, I just can't understand why and how you guys came to this decision-making. It's either fragile and risky (local attack) with auto-updates, or it's protected without updates and notifications to update. Another thing is how you're handling and delaying a high risk finding of a security audit "somewhere" in your backlog. I'm expecting something different from a company offering "secure" products.

Enough said. Have a great day yourself :)
ag_mike_d
1Password Team
3 years ago
Hello @ArjenvT,

Thanks for your message and I'm for the delay in response here. I've reached out to the security team for an update to your original inquiry.

Software installed to a protected directory requires user interaction to install updates so we install to a non-protected directory to ensure we can keep our software updated automatically without user interaction. There is obviously a security trade off in that decision, which is called out in the referenced pentest report. As a result of that report, we have created new installers (MSI) that can be used by enterprise clients to install software in protected directories while also allowing them to manage security updates in their own time. We are working on a similar solution for our non-enterprise customers, which we hope to have available in 2023 but we do not have an exact deadlines at this moment.

In the meantime, should this apply and you'd like to try out an MSI, send an email message addressed to support+windows@1password.com and we'd be happy to help look into this further with you.

Have a great day!
Former Member
3 years ago
Hey 1P_PeterG - over 3 months have passed and I didn't get any update.
Any news on this topic?
1P_PeterG
Community Manager
3 years ago
Hi @ArjenvT, thanks for these questions. 👋

Since some of these pertain to the security design of 1Password, I'm going to loop in our security specialists. You'll either be hearing from them directly here, or I'll pass along the information they've provided once I've had a conversation with them (whichever comes first).

In the meantime, I can say that an MSI installer is indeed coming. I can't share much in the way of details until the release happens, but as you've noted we've been working on this for some time and we understand it's important to provide this. This is a priority for us and we've been putting the time into it accordingly. It's on the way.

Thanks for your patience, and I'll hope to have more for you soon.

ref: dev/core/core#5597
Naxterra
Dedicated Contributor
3 years ago
Go to https://1password.com/downloads/windows/ and change download link from exe to msi

for example
MSI package
Former Member
3 years ago
For anyone interested, the security audit report can be found here:
https://bucket.agilebits.com/security/Cure53-1PW18-report.pdf

Forum Discussion

Why does 1password still install to the user’s local application directory?

16 Replies

Recent Discussions

Custom Templates

The unlock dialog incorrectly draws focus ring

How can the order of items in the sidebar be manually arranged?

Recommendation For Duckduckgo Browser

CSV File Export from 1Password - Not showing all websites - only one website in each entry