1Password has a pretty good white paper explaining their security design (PDF behind the link): https://1passwordstatic.com/files/security/1password-white-p.... The parts "How Vault Items Are Secured" and "How Vaults Are Securely Shared" go into sharing passwords in a vault.

For the record, Bitwarden's white paper is a good read as well. Available at https://bitwarden.com/help/article/bitwarden-security-white-....

(edit: fixed typos)

So I'm reading on pg 22. The red block. How hard is it for 1Pass --basically a mandated MITM-- to send a false request to Alice when Bob made a request?

That whitepaper is a piece of marketing text. Not saying their audit did not take place. But they are soooooo powerful in their own system that they basically have access to everything.

BitWarden: not so much.

> How hard is it for 1Pass --basically a mandated MITM-- to send a false request to Alice when Bob made a request?

Alice is the one that initiates the request. She owns the vault being shared and encrypts it with Bob's pre-shared public key.

(Original tweeter here.) It seems that this is already fixed in Chrome 73 beta: https://twitter.com/jviide/status/1097199686849581057

Also setting "Enable network service" to disabled in chrome://flags appears to fix it: https://twitter.com/jviide/status/1097202611806261248

Real bug or test to see if anyone notices? I'm getting uncomfortably skeptical when it comes to google these days.

Direct link to the (fixed) bug: https://bugs.chromium.org/p/chromium/issues/detail?id=931588