Cloudflare data leakage doesn’t reveal 1Password secrets

Researchers discovered just a few days ago that the content-distribution network (CDN) Cloudflare sometimes returned garbled Web pages that could contain private and secret information instead of the cached data that it was supposed to. CDNs speed up the Web by allowing sites to push pages and media to Internet nodes closer to a user requesting them. ( PCWorld has the full story.)

Among the sites mentioned by Tavis Ormandy, a Google Project Zero security researcher who uncovered the fault, was AgileBit’s 1Password.com, though Ormandy referred to it just as “1Password.” AgileBits’ 1Password password and data safe apps can be used as standalone products, synced via Dropbox and other methods, or linked to paid accounts at 1Password.com for business and family purposes to share passwords, documents, and other data. (Macworld has contacted Ormandy for clarification.)

But 1Password.com doesn’t use a simple login procedure in which a username and password allows access to the stored data and transferred over a secured Web connection. Rather, the company’s security model expects that an https connection is vulnerable, so it’s one of three layers employed.

Inside the https connection, AgileBits uses a second method of transport security: the Web browser and server validate each other’s identities from when the account was created without sending a password that could be exposed by the Cloudflare leak. Once validated, the server creates an encryption key that, again, isn’t sent over the Internet, but derived from that mutually confirmed information.

And the data inside that second wrapper remains encrypted. 1Password.com customers enter their passphrase into the browser, which performs decryption locally. Thus, even were 1Password.com sessions leaked through Cloudflare’s code error, the session and specific password data should remain fully secure. AgileBits noted that its servers weren’t affected. (The company has been migrating its services away from Cloudflare for infrastructure reasons unrelated to this breach.)

Jeffrey Goldberg, AgileBits’ security chief, noted via email, “We designed 1Password from the outset with the expectation that TLS could fail. So if some traffic is exposed through a TLS value, it doesn’t cause any problems.”

The Cloudflare leak resulted in no more than 1 out of every 3,300,000 requests potentially containing unintentional information between February 13 and 18, Cloudflare’s CTO said in a blog post, although such data might have been disclosed as far back as September 2016.

So far, there’s no indication it was exploited by crackers or criminals. Ormandy worked with search engines and other sites to remove 770 cached versions of pages that contained exposed information, though some researchers have found traces of information elsewhere or not yet removed.

Passwords stored in 1Password, Safari, and other browsers and password safes that were used to log into affected Web sites could be at risk, although the specific list of affected sites isn’t yet available. Ormandy mentioned Uber, Fitbit, and OkCupid. AgileBits will update its Watchtower alert feature in its apps to notify users as it collects a list of sites that may have had passwords and other information leaked.