1Password Vulnerability for MacOS Causes Credentials Leak

1Password Vulnerability Let Attackers Exfiltrate Vault Items
1Password vulnerability was found and fixed

A critical vulnerability was discovered in 1Password that allows attackers to steal vault items by bypassing the app’s security measures. It affects only the macOS version of the program, and touches every single version of the app. A patch is now available, and users are strongly advised to update as soon as possible.

1Password Vulnerability Let Attackers Exfiltrate Vault Items

1Password developers reported a critical vulnerability found in the Mac version of the app. This vulnerability, identified as CVE-2024-42219, was discovered by Robinhood’s Red Team during an independent security assessment of 1Password for Mac. It allows a malicious process running locally on a computer to bypass protections for inter-process communication. This issue affects all app versions up to 8.10.36.

On macOS, 1Password uses the system-native XPC interface for inter-process communication. XPC allows enforcing additional protections called the hardened runtime which allows enforcing processes you communicate with have additional protections from process tampering. This prevents certain local attacks from being possible.1Password Support
,

Vulnerabilities in password managers are always a massive source of headache for both developers and users. Recent events around the LastPass password manager, that led to a huge leak of login credentials, is the perfect example of what may happen if that case is not managed properly. Fortunately, 1Password acknowledged the issue way before hackers started exploiting it in real-world attacks.

Technical Details

The CVE-2024-42219 vulnerability is related to bypassing inter-process communication (IPC) protections in 1Password for Mac across all versions up to 8.10.36. If a malicious process is running locally on the computer, it can circumvent these protections. This allows attackers to steal vault items and obtain credentials necessary for logging into 1Password, such as the account unlock key and SRP-𝑥 (Secure Remote Password) values. 1Password Vaults are secure containers for storing and organizing items, allowing users to share specific information with selected individuals. Essentially, they are mini password managers within the main application.

However, certain conditions are required to exploit this vulnerability: the attacker needs to convince the user to execute malicious software on their computer. During the attack, the absence of specific macOS checks for inter-process communication can be exploited. This allows the attacker to spoof or hijack trusted 1Password integrations, such as the browser extension or command-line interface. Fortunately, there have been no reports of this vulnerability being exploited in the wild.

1Password’s Response

1Password promptly released an update to patch this vulnerability as soon as they were notified. Details about the issue were disclosed on relevant news platforms after the patch was released, which upset some users who expected to see it in the changelog. However, it’s clear that the company maintained informational silence to ensure user safety.

1Password strongly recommends that all users update their app to version 8.10.36 as soon as possible to mitigate potential risks. The company also expressed gratitude to Robinhood’s team for responsibly disclosing the vulnerability and for their close collaboration, which ensured timely protection for users.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *