Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218)
Two vulnerabilities (CVE-2024-42219, CVE-2024-42218) affecting the macOS version of the popular 1Password password manager could allow malware to steal secrets stored in the software’s vaults and obtain the account unlock key, AgileBits has confirmed.
Discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and then privately reported to the software’s makers, the vulnerabilities have been fixed in two consecutive versions of the software: v8.10.36 (released on July 9) and v8.10.38 (released on August 6).
AgileBits says that they have received no reports that these issues were discovered or exploited by anyone else.
The vulnerabilities (CVE-2024-42219, CVE-2024-42218)
CVE-2024-42219 enables a malicious process – i.e., malware – running locally on a machine to bypass inter-process communication protections.
“An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI,” the company says.
CVE-2024-42218 may allow attackers to bypass macOS-specific security mechanisms by using outdated versions of the 1Password for Mac app.
“To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. If an attacker is able to load an old version of 1Password on a user’s computer, they could then access 1Password associated secrets stored in the macOS Keychain,” the advisory notes.
“This issue leverages out-of-date versions of 1Password that contain vulnerabilities in 3rd party dependencies and are missing security hardening measures enabled in all modern versions of 1Password. An attacker can use the existence of these old versions to create an attack on newer versions of the apps.”
In both cases, exploitation of the flaw would allow the malware to “exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key [AUK] and ‘SRP-‘”.
The vulnerabilities affect only 1Password for Mac.
Users don’t have the “Install updates automatically” option switched on are advised to upgrade to the latest version as soon as possible. Those who do have had their app already upgraded or will be asked to do it once they start it.
More details are forthcoming
The existence of the vulnerabilities has been kept on the down-low until this week, when the respective security advisories have been published and the page with the release notes for the software has been updated.
The Robinhood Red team is also scheduled to talk about their research at DEF CON this Saturday, and more details about the flaws will be released after that.