Support

Security Advisory January 2017: OmniFocus Encryption

Affected versions:

This document describes a security vulnerability in the following versions of OmniFocus:

  • OmniFocus 2.6 for Mac
  • OmniFocus 2.6.1 for Mac
  • OmniFocus 2.6.2 for Mac
  • OmniFocus 2.7 for Mac
  • OmniFocus 2.7.1 for Mac
  • OmniFocus 2.7.2 for Mac
  • OmniFocus 2.8 for Mac
  • OmniFocus 2.15 for iOS (and Legacy Support Edition)
  • OmniFocus 2.15.1 for iOS (and Legacy Support Edition)
  • OmniFocus 2.15.2 for iOS (and Legacy Support Edition)
  • OmniFocus 2.16 for iOS (and Legacy Support Edition)
  • OmniFocus 2.16.1 for iOS (and Legacy Support Edition)
  • OmniFocus 2.17 for iOS (and Legacy Support Edition)
  • OmniFocus 2.17.1 for iOS (and Legacy Support Edition)
  • OmniFocus 2.17.2 for iOS (and Legacy Support Edition)
  • OmniFocus 2.17.3 for iOS (and Legacy Support Edition)
  • OmniFocus 2.17.4 for iOS (and Legacy Support Edition)

Description

In the affected versions, encryption keys are not rolled over when the encryption passphrase (or sync password, if a distinct encryption passphrase is not set) is changed. This means that an attacker who has your previous passphrase can still access your data after your passphrase has been changed.

This vulnerability only affects customers who are changing their passphrase because they fear it may have been compromised. There is no need to take action otherwise.

Remedy

Unless you need to change your passphrase you do not need to take action now. Updates addressing this vulnerability are imminent.

Customers who use OmniFocus for Mac

Customers running OS X 10.11 or later:

Install OmniFocus 2.8.1 (or later) for Mac, which addresses this vulnerability. OmniFocus 2.8.1 is available now from omnigroup.com and via the Mac App Store.

Customers running OS X 10.10:

Install OmniFocus 2.7.3 for Mac, which addresses this vulnerability.

Customers who don’t use OmniFocus for Mac

In OmniFocus 2.17 for iOS or later:

After changing your encryption passphrase or sync password, navigate to Backups in OmniFocus Settings. Tap Back Up Now to take a manual backup, then tap the new backup’s entry in the list of recent backups. After verifying the date/time stamp of your backup, tap Revert to This Backup. Reverting to a backup triggers a sync that replaces the encryption keys on the server, securing your database against any attackers that have your previous passphrase.

Thanks

Thanks to Rainer Burgstaller for discovering and reporting this vulnerability.

Last Modified: Jan 5, 2017

Can we help?

support@omnigroup.com
+1 206-523-4152 or 800-315-OMNI

Was this article helpful?

Still need help?

support@omnigroup.com
+1 206-523-4152 or 800-315-OMNI