1Password Token
A 1Password token is a credential used to authenticate and interact with the 1Password service, which is a widely used password manager designed to securely store and manage sensitive information such as passwords, credit card details, and secure notes. Exposure of a 1Password token is a significant security concern because it can grant unauthorized access to the stored secrets and potentially compromise the security of all accounts and sensitive data managed within the 1Password vault.
How Does It Look
1Password tokens can appear in various contexts, such as:
-
Environment variables:
export OP_TOKEN="op:1234567890abcdef" -
Configuration files (JSON, YAML, .env):
{
"1password": {
"token": "op:1234567890abcdef"
}
} -
Code snippets:
op_token = "op:1234567890abcdef" -
Connection strings (if applicable):
op://vault/item/field?token=op:1234567890abcdef
Severity
- 🔴 Critical
The severity of a 1Password token exposure is critical because it provides access to all the secrets stored within the 1Password vault. This includes sensitive information such as passwords, secure notes, and other confidential data. The blast radius is extensive, as it can affect all accounts and services linked to the compromised vault.
What Can an Attacker Do?
With immediate access to a 1Password token, an attacker can retrieve and manipulate sensitive data stored in the vault.
Key actions an attacker can perform:
- Access sensitive data: Retrieve passwords, secure notes, and other confidential information (if the token has read permissions).
- Modify vault contents: Add, update, or delete items within the vault (if the token has write permissions).
- Export vault data: Extract all stored secrets for offline analysis or further exploitation (if export permissions are granted).
- Access shared vaults: Gain entry to shared vaults and compromise additional accounts (if the token has access to shared vaults).
An attacker could potentially escalate their access by using the retrieved credentials to compromise other systems or services, leading to further lateral movement within the network.
Real-World Impact
The exposure of a 1Password token poses a significant business risk due to the potential compromise of sensitive data.
Potential consequences include:
- Data Exposure: Confidential information such as passwords and secure notes (if the token has read access to sensitive data).
- Financial Loss: Unauthorized transactions or financial fraud (if financial information is stored in the vault).
- Operational Disruption: Inability to access critical accounts or services (if the attacker modifies or deletes essential credentials).
- Reputational Damage: Loss of trust from customers and partners due to data breaches.
In the worst-case scenario, the exposure could lead to a cascading effect where multiple systems and services are compromised, resulting in widespread operational and financial damage.
Prerequisites for Exploitation
To exploit a 1Password token, an attacker needs:
- Network access: Ability to communicate with the 1Password API or service endpoints.
- Additional context: Knowledge of the specific vault or account associated with the token.
- No rate limits: Absence of rate limiting or IP restrictions that could hinder unauthorized access attempts.
How to Verify If It's Active
To verify if a 1Password token is active, use the following command:
op get vaults --token=[TOKEN]
Valid credential response: A list of vaults associated with the token is returned.
Invalid/expired credential response: An error message indicating invalid credentials or token expiration.
Detection Patterns
Common Variable Names:
- OP_TOKEN
- ONEPASSWORD_TOKEN
- 1PASSWORD_TOKEN
- OP_API_KEY
- ONEPASSWORD_API_KEY
- 1PASSWORD_API_KEY
File Locations:
.envconfig.jsonsettings.yamlcredentials.txtsecrets.env
Regex Pattern:
op:[a-zA-Z0-9]{16,}
Remediation Steps
- Revoke immediately - Go to 1Password > Security > API Tokens and delete the compromised token.
- Audit access logs - Review 1Password access logs for unauthorized access or data exports during the exposure window.
- Assess blast radius - Identify all systems, applications, and environments that used the exposed token.
- Rotate credential - Generate a new API token in 1Password with least-privilege permissions.
- Update dependent systems - Deploy the new token to all applications and update CI/CD pipelines securely.
- Harden access controls - Enable IP allowlisting in 1Password and require two-factor authentication for all users.
- Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
- Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.
Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.