Using 1Password on Mac? Patch up if you don’t want your Vaults raided

Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items.

1Password Vaults are essentially mini password managers inside the main app itself. They allow users to separate passwords used for different purposes, like personal accounts, family accounts, work-related credentials, and so on and so forth.

These Vaults can be shared with others, which is useful for sharing logins for shared accounts like Dropbox, Adobe, and Netflix.

According to the company's website, circa 150,000 businesses use 1Password to protect their login credentials, and millions of individual consumers use it too. These figures aren't broken down into Windows, macOS, and mobile users, so it's not easy to pinpoint exactly how many may be affected by the vulnerability.

There's no evidence to suggest that CVE-2024-42219 (CVSS 7.0) has been exploited yet, but as ever, now it's public the risk of exploitation increases exponentially, so patch up.

Based on 1Password's description of the vulnerability, an attacker would need to develop and install a specific program on a victim's machine that targeted 1Password on Mac, either through social engineering or other means. 

"To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac," the company said in an advisory. "An attacker is able to misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI.

• 1Password confirms attacker tried to pull list of admin users after Okta intrusion
• Crooks don't need ChatGPT to social-engineer victims, as they're more than happy to demonstrate
• Risk of installing dodgy extensions from Chrome store way worse than Google's letting on, study suggests
• Robinhood's crypto unit hit with $30m fine over security, anti-crime misses

"This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and 'SRP-𝑥'.

"On macOS, 1Password uses the system-native XPC interface for inter-process communication. XPC allows enforcing additional protections called the hardened runtime which allows enforcing processes you communicate with have additional protections from process tampering. This prevents certain local attacks from being possible."

The security and red teaming pros at investment and trading app Robinhood discovered the vulnerability after deciding to probe 1Password and were thanked for the discovery.

Think you might be vulnerable? No mitigations were provided by 1Password, so patching up to version 8.10.36 is your only shot at securing those credentials. ®