Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218)
Two vulnerabilities (CVE-2024-42219, CVE-2024-42218) affecting the macOS version of the popular 1Password password manager could allow malware to steal secrets stored in the software’s vaults and obtain the account unlock key, AgileBits has confirmed.
Discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and then privately reported to the software’s makers, the vulnerabilities have been fixed in two consecutive versions of the software: v8.10.36 (released on July 9) and v8.10.38 (released on August 6).
AgileBits says that they have received no reports that these issues were discovered or exploited by anyone else.
The vulnerabilities (CVE-2024-42219, CVE-2024-42218)
CVE-2024-42219 enables a malicious process – i.e., malware – running locally on a machine to bypass inter-process communication protections.
“An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI,” the company says.
CVE-2024-42218 may allow attackers to bypass macOS-specific security mechanisms by using outdated versions of the 1Password for Mac app.
“To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. If an attacker is able to load an old version of 1Password on a user’s computer, they could then access 1Password associated secrets stored in the macOS Keychain,” the advisory notes.
“This issue leverages out-of-date versions of 1Password that contain vulnerabilities in 3rd party dependencies and are missing security hardening measures enabled in all modern versions of 1Password. An attacker can use the existence of these old versions to create an attack on newer versions of the apps.”
In both cases, exploitation of the flaw would allow the malware to “exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key [AUK] and ‘SRP-‘”.
The vulnerabilities affect only 1Password for Mac.
Users who don’t have the “Install updates automatically” option switched on are advised to upgrade to the latest version as soon as possible.
More details are forthcoming
The existence of the vulnerabilities has been kept on the down-low until this week, when the respective security advisories have been published and the page with the release notes for the software has been updated.
The Robinhood Red team is also scheduled to talk about their research at DEF CON this Saturday, and more details about the flaws will be released after that.
UPDATE (August 12, 2024, 02:00 p.m. ET):
1Password CTO Pedro Canahuati has shared additional details about Robinhood’s findings, and noted that all the vulnerabilities are local and require a device to be compromised (e.g., by malware) and controlled by a bad actor.
Aside from CVE-2024-42219 and CVE-2024-42218, there was a third flaw that may allow attackers to modify 1Password settings by simply changing then in the unprotected JSON file on disk where they are stored. This vulnerability has been fixed in August.
“The one unresolved issue involves how Chromium-based browsers (for example, but not limited to: Chrome, Edge, Brave, etc.) and Firefox manage communication between all browser extensions and all desktop apps. The channel between the application and browser extension is subject to spoofing, which could allow a local attacker to pretend to be the browser and communicate with 1Password to obtain user secrets,” he explained.
“It can’t be resolved because third-party desktop applications communicating with browsers, including 1Password, are unable to detect if a browser is being controlled by malware, and thus verify the browser authenticity. There is no alternative or more secure technology provided.”