Introduction

The 1Password application < 7.0 for Android is affected by a Denial Of Service vulnerability. By starting the activity
com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity or
com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity from an external application (since they are exported), it is possible to crash the 1Password instance.

Poc

To invoke the exported activity and crash the app, it is possible
to use Drozer:

run app.activity.start –component com.agilebits.onepassword com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity

Affected Components

com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity
com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity

Disclosure timeline

2018-07-27 Contacting 1Password

2018-07-30 1Password acknowledges the vulnerability

2018-08-22 The vulnerability is fixed and made public

Share it