Yeah, it sounds like the first exploit required your vault to be unlocked so that a malicious process pretending to be a legitimate integration like a browser plugin could request credentials, and the second one required installing an out of date version of the app.
Good that it is all patched, and that it wasn't a remotely exploitable issue.
Yeah, it sounds like the first exploit required your vault to be unlocked
That barely fits the requirements to even be called a vulnerability.
"Sir, this safe lock is horribly insecure because all it takes for somebody to get access to the safe is to have the owner invite an intruder over to his house, unlock the safe, and the intruder can barge right in!"
I'm all for broadcasting vulnerabilities for services that deserve it. But, taking two of the thousand unrated CVEs that appear each year, slapping on a clickbait headline, and trying to scare people into not trusting password managers is a load of shit. The only reason this trash got upvoted is because this community has a massive hard-on for locally-controlled password stores, without acknowledging the negatives.
A good reminder to always set your password manager to auto-lock (with PIN for convenience) after 3-5 minutes. The PIN makes it easy to re-log, while not being bruteforceable (AFAIK after few failed attempts it reverts to password), and if someone would get to your PC, either physically or remotely, they won't be able to get all your passwords.
One of the best jackpots I've ever found during Red Teaming engagements was when I RDPd to a server through pass-the-hash, only to find an unlocked password manager with passwords for most of the other servers, service and admin accounts.
Stop using "the cloud" to store your passwords. Unless you control said cloud, you have to trust someone to not fuck up their security that you now depend on. Everyone eventually does.
The difference is also, that someone who's job is storing other people's passwords is by definition a target. So is the fuck up, someone will notice. If you host those yourself, or you rent a place where you can host them for yourself, that is just one person's server. The interest and possible gain for someone gaining access is so small, it's even unlikely. So when you inevitably fuck it up, the chances someone notices before you do are relatively small.
Your comment is irrelevant to the issue at hand because it's a local attack and your suggested alternative could therefore be just as vulnerable.
Self hosting is cool for 0.0001% of the population, for anyone else it's either too difficult or a hassle. It's also an oversimplification that I have to "trust" the cloud company and imply that a self hosted solution is inherently safe. You run that program on a computer with 100 different apps, each of which is an attack vector and you're just you, without the backup of a small army of developers hunting down issues and independent parties auditing the whole shebang.
The only thing self hosting has going for it is that the target is incredibly small, but this is not as big a factor as you suggest because of the maturity of some of these services who basically just store a blob of data you encrypted locally and access to their servers or even your data is usually without danger.
Ah the Internet classic: calling someone's comment irrelevant, when you clearly haven't even read, or at least not understood it. It isn't that long of a comment. Try reading it again.
Oh whatever, here's another attempt at explaining it: there's a huge difference if my passwords are in a place where people generally keep passwords, or if they are where only my passwords are. If someone has never heard of me, but they attack my cloud-password-solution and get in, they still get my passwords. Someone attacking me personally, if he's truly competent as a hacker, in probably screwed either way. At least he can only attack me, he can't attack "some public thing" and get my stuff "by accident". Think "personal safe in my home" compared to "public bank" (ignoring the fact that a bank is insured and all that for this analogy).
Your second point would be valid if open source didn't exist. First of all I didn't imply that it was inherently safe, I implied that there isn't a single point of trust, which was my would point. Even if you can't read/audit it yourself, there are projects that have public audits by reputable security companies. Plus if there truly were backdoors, assuming a non-tiny user base, someone would've probably noticed.
Then your final point seems to acknowledge the attack surface, but the problem with the "locally encrypted blob" is that this statement from the cloud provider is another thing you just have to believe them on. They might do that, they might not. Many don't even claim that, because people like convenience and want options for password recovery to their password service. those two are mutually exclusive.
In this context "self host" can ironically mean using a cloud service for hosting. You can use a file based password manager and just sync the database. Solutions like KeePass have apps for many platforms, and they can often even directly load from cloud storage, like Google drive, OneDrive or DropBox. The password database is strongly encrypted, and even if your storage gets compromised, your passwords are still safe (assuming a good password or some then better security was used to encrypt it).
You give up the convenience of having a single service and having to get each device to access the file. But that's it. It's not that hard and so much better than a password service, even if just for their attack surface, or the "likely target" these are.
With self hosting you have to trust that you won’t fuck up, that your house or wherever you are hosting won’t lose power when you need it, or burn down or face some other disaster. At the very least you should have an external location, which you also should trust pretty thoroughly.
Also that’s not to mention that open source projects still have security vulnerabilities sometimes, and also sometimes they get a lot less developer attention than profesional projects.
I love self hosting stuff and do a lot of my own computer backups etc. but the most important stuff I rely on professional cloud solutions for. I simply don’t have the resources to be able to compete.
Does nobody read the article? 1Password works on any platform but the attack is Mac only because it's actually getting passwords from a Mac's keychain through older versions of 1Password.