Alert: The password manager 1Password is alerting users about a flaw that makes all Mac users using versions before 8.10.36 vulnerable to the loss of vault items by hackers. A high-severity vulnerability that allowed attackers to target Mac users and obtain private information has been fixed in the well-known password manager 1Password.
About the Issue on 1Password
1Password for Mac has a bug that bypasses the platform safety features of the application. A malicious process operating locally on a computer can get beyond inter-process communication safeguards thanks to this flaw.
The Red Team at Robinhood freely informed them about this problem after deciding to carry out a fair security assessment of 1Password for Mac. There have been no reports to 1Password that anyone else has found or exploited this vulnerability.
Affected Versions of 1Password
All 1Password 8 for Mac versions before 8.10.36 (July 2024) are impacted by this problem. Version 8.10.36 (July 2024) of 1Password for Mac has fixed the problem. This does not affect 1Password 7 for Mac.
Update to the most recent version of 1Password 8 for Mac if you are using one of the impacted versions.
Impact of the Vulnerability
An attacker must install malicious software on a machine designed to target 1Password for Mac in order to take advantage of the vulnerability. An attacker can assume the identity of or take control of a reliable 1Password unity, like the 1Password browser extension or CLI, by taking advantage of missing macOS-specific inter-process validations.
This would enable the malicious software to access the derived values—namely, the account unlock key and “SRP-𝑥“—and exfiltrate vault objects in order to log into 1Password. Go to page 19 of 1Password Security Design to find out more.
Users On the 1Password forum said “ Although it is now available, 1Password did not include it in their release notes at first..”
Millions of individual customers as well as about 150,000 organisations use 1Password to secure their login credentials, according to the company’s website. There is no division of Windows, macOS, and mobile users in these numbers, making it difficult to determine the actual number of people who could be impacted by the vulnerability.
AgileBits has confirmed that there are two vulnerabilities (CVE-2024-42219, CVE-2024-42218) in the macOS version of the well-known 1Password password manager that could enable malware to steal information from the software’s vaults and gain the account unlock key.
How to make sure the Mac version of 1Password is updated
Even though 1Password does not appear to be aware of any attempts to obtain access through this “malicious process,” you may easily ensure your safety by following the instructions below:
- Launch 1Password 8 on a Mac.
- Click 1Password in the menu bar, then select “Check for Updates.”
- To make sure you are using the most recent version, select “Check for Updates” in the settings screen.
- Fortunately, the solution is already available, but this could not have come at a worse time for the company, even though people (including myself) appreciate that it has acknowledged the problem.
It is yet unclear, though, if consumers will choose the available (and free) alternative over 1Password in light of the upcoming release of Apple’s Passwords app.