1Password has shared that its software for Mac has a vulnerability that exposes users to a potentially serious threat. Along with attackers being able to compromise credentials, the flaw can give bad actors access to your account unlock key.
1Password revealed the details of the flaw in a security post. Fortunately, the vulnerability hasn’t been reported as exploited in the wild – but it’s still important to update your software to make sure you’re safe.
An issue has been identified in 1Password for Mac that affects the app’s platform security protections. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections.
This issue was responsibly disclosed to us by Robinhood’s Red Team after they chose to conduct an independent security assessment of 1Password for Mac. 1Password has received no reports that this issue was discovered or exploited by anyone else.
How to make sure 1Password for Mac is safe
The company says all users running 1Password 8 for Mac before version 8.10.36 (July 2024) are affected.
Fortunately, version 8.10.36, available now, fixes the vulnerability. So be sure to check what build you have installed.
Here’s how the flaw works:
To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI.
This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and “SRP-𝑥”. Learn more on page 19 of 1Password Security Design.
FTC: We use income earning auto affiliate links. More.
