News: 1723124709

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Using 1Password on Mac? Patch up if you don’t want your Vaults raided

(2024/08/08)


Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items.

1Password Vaults are essentially mini [1]password managers inside the main app itself. They allow users to separate passwords used for different purposes, like personal accounts, family accounts, work-related credentials, and so on and so forth.

These Vaults can be shared with others, which is useful for sharing logins for shared accounts like Dropbox, Adobe, and Netflix.

[2]

According to the company's website, circa 150,000 businesses use 1Password to protect their login credentials, and millions of individual consumers use it too. These figures aren't broken down into Windows, macOS, and mobile users, so it's not easy to pinpoint exactly how many may be affected by the vulnerability.

[3]

[4]

There's no evidence to suggest that CVE-2024-42219 (CVSS 7.0) has been exploited yet, but as ever, now it's public the risk of exploitation increases exponentially, so patch up.

Based on 1Password's description of the vulnerability, an attacker would need to develop and install a specific program on a victim's machine that targeted [5]1Password on Mac, either through [6]social engineering or other means.

[7]

"To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac," the company said in an [8]advisory . "An attacker is able to misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password [9]browser extension or CLI.

[10]1Password confirms attacker tried to pull list of admin users after Okta intrusion

[11]Crooks don't need ChatGPT to social-engineer victims, as they're more than happy to demonstrate

[12]Risk of installing dodgy extensions from Chrome store way worse than Google's letting on, study suggests

[13]Robinhood's crypto unit hit with $30m fine over security, anti-crime misses

"This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and 'SRP-𝑥'.

"On macOS, 1Password uses the system-native XPC interface for inter-process communication. XPC allows enforcing additional protections called the hardened runtime which allows enforcing processes you communicate with have additional protections from process tampering. This prevents certain local attacks from being possible."

The security and red teaming pros at investment and trading app [14]Robinhood discovered the vulnerability after deciding to probe 1Password and were thanked for the discovery.

Think you might be vulnerable? No mitigations were provided by 1Password, so patching up to version 8.10.36 is your only shot at securing those credentials. ®

Get our [15]Tech Resources



[1] https://www.theregister.com/2023/01/16/dump_lastpass_bitwarden/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrTrpOw@hKS-jz6zf6uXWAAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrTrpOw@hKS-jz6zf6uXWAAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrTrpOw@hKS-jz6zf6uXWAAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2023/10/24/1password_confirms_all_logins_are/

[6] https://www.theregister.com/2023/04/29/kaspersky_social_engineering/

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrTrpOw@hKS-jz6zf6uXWAAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://support.1password.com/kb/202408a/

[9] https://www.theregister.com/2024/06/23/google_chrome_web_store_vetting/

[10] https://www.theregister.com/2023/10/24/1password_confirms_all_logins_are/

[11] https://www.theregister.com/2023/04/29/kaspersky_social_engineering/

[12] https://www.theregister.com/2024/06/23/google_chrome_web_store_vetting/

[13] https://www.theregister.com/2022/08/02/robinhoods_crypto_penalty/

[14] https://www.theregister.com/2022/08/02/robinhoods_crypto_penalty/

[15] https://whitepapers.theregister.com/



Quick and easy update.

Anonymous Coward

Thanks for the heads up. Download and install of the update was painless and took less than 30 seconds.

There was a note upon relaunch that some settings were reset to default; I guess this was also precautionary.

Does this also apply to 1Password 7?

Anonymous Coward

Any "versions before 8.10.36" would suggest 1Password 7 is also affected. I would just like to prevent upgrading from 7 to 8 if I can.

MS-DOS didn't get as bad as it is overnight -- it took over ten years
of careful development