CVE-2018-13042 – 1Password Android < 7.0 - Denial of Service


The 1Password application < 7.0 for Android is affected by a Denial Of Service vulnerability. By starting the activity
com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity or
com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity from an external application (since they are exported), it is possible to crash the 1Password instance.


To invoke the exported activity and crash the app, it is possible
to use Drozer:

run app.activity.start –component com.agilebits.onepassword com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity

Affected Components


Disclosure timeline

2018-07-27 Contacting 1Password

2018-07-30 1Password acknowledges the vulnerability

2018-08-22 The vulnerability is fixed and made public

Share it