Sidenote, but nice to see a few more Codeberg links popping up instead doctor ubiquitous GitHub. Maybe we’re decentralising a little more in this area.
> This investigation took a while, and I waited a while before publishing this disclosure (life circumstances and giving 1Password time to fix the issue).
Sounds like the person really came from a supportive place and hoped things would get sorted out. And had life intervene along the way maybe.
Sidenote, but nice to see a few more Codeberg links popping up instead doctor ubiquitous GitHub. Maybe we’re decentralising a little more in this area.
is this just a "vulnerability" in the same way sudo doesn't ask for password for a short time after first use ?
only applies to the current terminal session, this applied from any session including build sub-sessions.
but yah, you're right it's a very low-risk attack.
> Responsible disclosure was made via BugCrowd on 2nd October, 2023, and disclosure was authorized in January of 2024
I’m confused why this is just be publicly disclosed. It’s been known for 2 years!
> This investigation took a while, and I waited a while before publishing this disclosure (life circumstances and giving 1Password time to fix the issue).
Sounds like the person really came from a supportive place and hoped things would get sorted out. And had life intervene along the way maybe.
Is the described behavior still the default with `op` cli?
Great work and thank you for sharing! I will definitely disable the CLI integration. Hoping 1Password fixes the CLI flow soon.