Two vulnerabilities affecting the macOS version of the popular 1Password password manager have been confirmed by AgileBits, the software’s maker. The vulnerabilities, known as CVE-2024-42219 and CVE-2024-42218, could potentially allow malware to steal secrets stored in the software’s vaults and obtain the account unlock key.
The vulnerabilities were discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and were privately reported to AgileBits. The company quickly addressed the issues in two consecutive software updates: v8.10.36, released on July 9, and v8.10.38, released on August 6. AgileBits has stated that they have not received any reports of the vulnerabilities being discovered or exploited by anyone else.
CVE-2024-42219 allows a malicious process, such as malware, to bypass inter-process communication protections on a local machine. This could potentially enable an attacker to hijack or impersonate trusted 1Password integrations like the browser extension or CLI. On the other hand, CVE-2024-42218 may allow attackers to bypass macOS-specific security mechanisms by utilizing outdated versions of the 1Password for Mac app. By running malicious software on a user’s computer and loading an old version of 1Password, attackers could access sensitive information stored in the macOS Keychain.
In both cases, exploitation of the vulnerabilities could lead to the exfiltration of vault items and the obtaining of derived values used for signing in to 1Password, including the account unlock key. It’s important to note that these vulnerabilities only affect 1Password for Mac users. AgileBits recommends that users who do not have the “Install updates automatically” option enabled should upgrade to the latest version as soon as possible. Users who already have the latest version installed will be prompted to update when they open the app.
The existence of these vulnerabilities was kept confidential until recently when security advisories were published, and the software’s release notes were updated. The Robinhood Red Team is set to discuss their research at DEF CON this weekend, with additional details about the flaws expected to be released afterward.
In light of these vulnerabilities, it is crucial for 1Password for Mac users to stay informed and take necessary precautions to protect their sensitive information. Being proactive in updating software and following recommended security practices can help mitigate the risks associated with potential security threats. AgileBits continues to prioritize the security and privacy of its users and remains committed to addressing any vulnerabilities promptly to ensure a safe user experience.