A vulnerability in 1Password 8 for Mac allows attackers to steal passwords. Updating quickly reduces the risk.

1Password 8 for Mac contains a major security flaw that allows hackers to steal passwords. The vulnerability, dubbed CVE-2024-42219, was discovered by Robinhood’s Red Team during an independent security assessment of 1Password for Mac.

The flaw allows local execution of rogue software to compromise security measures in macOS, allowing hackers to bypass missing macOS-specific validations in inter-process communication. This allows an attacker to impersonate a trusted 1Password integration, such as a browser extension or CLI.

The consequences of this are potentially serious: an attacker could steal sensitive data from users’ vaults as well as the derived values ​​required to log into 1Password, such as the unlock key and password. SRP-x-Value.

Update quickly

All versions of 1Password 8 for Mac released before version 8.10.36 are vulnerable to this vulnerability. Users of these versions are strongly advised to update the software to the latest version to resolve the issue. There have been no reports of the vulnerability being discovered or exploited by third parties.

1Password uses macOS’s XPC interface for inter-process communication. This interface provides additional protection against process tampering, but in this case the required additional protections were not properly enforced, allowing this vulnerability to occur.

Applying the recommended update will fix the bug and improve the security of the application.

Security issues affecting password vaults can have significant impact. Fortunately, the 1Password bug is not very impactful and was discovered before it could be exploited. 1Password’s competitors have not been so lucky. Just think of LastPass, where hackers were able to steal customer data.