Here is what I found:
That’s why I think 1Password should be DITCHED
Since it is closed source we must trust something as critical as our passwords to them. Yeah, they claim audits…
Well… One auditor is good, but thousands of them if open source is better, right?
Plus we already got Proton Pass which can perfectly replace it.
Because security by obscurity is NOT the best way, IMHO.
That’s why I think 1Password should be DITCHED
No ….
Since it is closed source we must trust something as critical as our passwords to them. Yeah, they claim audits…
I agree with you.
Plus we already got Proton Pass which can perfectly replace it.
And Proton Pass never had a Security vulnerability in it … never …. (they also had ofc)
To your vulnerability firstly it was back in 2023, so a bit old.
Secondly this vulnerability isn’t a real concern.
This vulnerability is actually just a standard warning to not run untrusted software on your machine. In this case the attacker can leverage a command line program to read your unlocked password vault, but without that he’d still be able to steal any user owned files on your machine and access your bank through your browser to steal your money.
The same “vulnerability” sudo and run0 also have, so yeah.
For those of us who don’t know code, could you give an ELI5 summary of what exactly the vulnerability is? Explain it to someone who knows how to sign up for an app and what E2EE is but doesn’t know what an IDE or CLI is.
I am not about this. How can we trust proprietary software? I don’t think they will publish audit report until they fix everything so there is a time gap for hacker.
I better trust FOSS which I can check myself. Imho
For those of us who don’t know code, could you give an ELI5 summary of what exactly the vulnerability is? Explain it to someone who knows how to sign up for an app and what E2EE is but doesn’t know what an IDE or CLI is.
To simplify this, the vulnerability is that you don’t need to enter your password everytime when you access the password manager.
So for example you access your password manager and type your password in and it gets unlocked, now you can access it until X-minutes and than it relocks again. The vulnerability says that it should insta lock, so that you need to enter your password everytime.
Just not for the desktop app or browser extension rather than the CLI (command line) tool.
I am not about this. How can we trust proprietary software? I don’t think they will publish audit report until they fix everything so there is a time gap for hacker.
I agree on you here and this might be an interesting topic to discuss, but your title and text is a bit misleading.
I would encourage you to create a new post where you start a new discourse with a better title and text that links to this here.
Thank you.
By “The vulnerability says that it should insta lock,” do you mean that 1Password implies that it should instalock and it doesn’t, or is the author simply arguing that this should be the default behavior?
or is the author simply arguing that this should be the default behavior?
The author argues that, which isn’t directly wrong, but I wouldn’t call it a vulnerability.
GHOST would 100% agree with you on this, but coming from a different angle here:
But do you actually verify all the source code for the software on your machine? There are definitely benefits to open source, but it doesn’t solve everything or guarantee freedom from security vulnerabilities. In fact, vulnerabilities are constantly found in open source software that has been run by users for years. You cannot pick on one random vulnerability in a piece of software and say this somehow proves that open/closed source software is insecure.
That is not the concept of open source. No single person can verify even one huge program like Firefox. The verification comes as community. Once someone find a vulnerability, that person can speak about it. It just need a single person to create attention. So even if you do not verify a single line of code yourself, you don’t need to trust a single entity (like company), you can trust that there is at least one person in the community who will find the issues.
And of course every software has issues. Read this article about the SSH-vulnability a developer implemented intentionally. But what do you do if such a developer works for a company and nobody can read the code? It will not be found in a bit over a month, but maybe after damage is already done and people got hacked. Open source is not better, because I can verify it myself, but many eyes see much more.
A company isn’t one person either, and many have auditors which are made up of multiple individuals. I agree that, all else being equal, open source provides better assurance, but there are many, many factors involved in the overall security of a piece of software. Looking at it from only the view of source code availability to the public is insufficient. I’ve released open source software myself that I am sure nobody has audited in any way. You could stumble across it and run it thinking it’s safe because it’s open source and therefore it must have been reviewed by lots of other people, or at least one other person, but you’d be wrong.
A reason I would not trust open source projects where no much activity is around, if I cannot read things myself or if I don’t know that person well enough. But sure, I was not explaining the whole thing, because I did not want to write a wikipedia article here. 
And let’s say a not so much used project has a critical vulnerability, the chance someone abuses it is also very little. The attack-surface scales with size and importance of the project and so also the amount of eyes watching it - usually.
The issue with audits are, that they cannot view the whole code. They’re just a bonus to find issues, but they do not replace the everyday attention.