You are currently viewing A critical security issue in 1Password for Mac left credentials vulnerable to attack

A critical security issue in 1Password for Mac left credentials vulnerable to attack

1Password has disclosed a critical security flaw present in older versions of its popular password manager

1Password has disclosed a now patched critical security flaw in its software that could give attackers access to users’ unlock keys and credentials. Here’s what to do to keep your data safe.

According to the company, all versions of 1Password for Mac before version 8.10.36 (July 2024) are vulnerable to the exploit. Thankfully, the issue can be resolved with relative ease by updating the 1Password application to version 8.10.36, which has already been made available.

There are currently no indications that the exploit has been used in the wild. The issue was discovered during an independent security assessment of the app by the Red Robinhood team, after which it was reported to 1Password.

Even so, the previously-mentioned security post recommends that users update their 1Password app if they are still using an affected version, which is any version of 1Password for Mac before 8.10.36.

An issue has been identified in 1Password for Mac that affects the app’s platform security protections. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections.

To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI. This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and “SRP-x.”

As mentioned earlier, the vulnerability can be patched by updating the 1Password for Mac application to version 8.10.36, as is recommended by the company.

Source