1Password users on Mac need to update urgently: attackers could access vaults


Popular password manager 1Password has patched a high-severity vulnerability that allows attackers to target Mac users and access sensitive secrets.

The issue, tracked as CVE-2024-42219, affects all 1Password for Mac versions before version 8.10.36, released in July 2024. It has a severity score of 7 out of 10. However, the company is urging users to update to the newest version.

The vulnerability allows attackers to use malicious software and exfiltrate vault items, which basically means stealing passwords, credit cards, and other sensitive information stored in 1Password. Attackers can also obtain an account unlock key and a special code for signing into the application.

ADVERTISEMENT

Vaults can be shared with other users, who can view and edit items.

“To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration, such as the 1Password browser extension or CLI (command line interface),” the company disclosed.

Fortunately, there’s no evidence that malicious attackers have exploited this loophole in the wild. The vulnerability was discovered and disclosed by the investment platform Robinhood’s security team (Red Team), which conducted an independent security assessment.

The company also noted that on macOS, 1Password uses the system-native XPC interface (a low-level interprocess communication mechanism) for interprocess communication. It enforces additional protections called the hardened runtime and prevents certain local attacks from being possible.