1Password, one of the best password managers around, has urged Mac users to download a patch for its credential storage after a bug was discovered that allows attackers to open vaults.
1Password allows users to create password vaults within the app to separate their credentials between work and personal life, for example.
But this vulnerability, tracked as CVE-2024-42219 with a CVSS of 7.0, could be exploited by attackers to steal entire password vaults from macOS users running 1Password version 8.10.36.
Breaking the vault
The flaw was discovered by Robinhood’s security teams, who decided to test the 1Password app for vulnerabilities. Specifically, the National Vulnerability Database describes the flaw as a vulnerability that allows “local attackers to extract items from the vault because XPC’s inter-process communication validation is insufficient.”
In a advisoryThe company stated: “To exploit the issue, an attacker must execute malicious software on a computer that specifically targets 1Password for Mac. An attacker can abuse missing macOS-specific cross-process validations to hijack or impersonate a trusted 1Password integration, such as a browser extension or the 1Password CLI.”
“This would allow the malware to extract items from the vault, as well as obtain derived values used to log into 1Password, specifically the account unlock key and “SRP-𝑥.”
The only way to exploit this flaw would be for an attacker to trick users into installing a custom program on the target machine, but so far there is no evidence that this has been done.
1Password says that around 150,000 businesses rely on 1Password to store important credentials, but it's unclear how many of them are using macOS devices. Windows users are not affected by this vulnerability.