A serious vulnerability has been discovered in the 1Password password manager on Mac. It allows attackers to steal credentials stored in users’ vaults, as well as the account unlock key. The flaw was reported by Robinhood’s security team, who “responsibly” alerted the 1Password editor, so fortunately it was not exploited.
A flaw exploitable by local malware
The flaw, tracked as CVE-2024-42219, resides in versions of 1Password 8 for Mac prior to 8.10.36. To exploit it, an attacker would need to run malware specifically designed to target 1Password on the victim’s computer.
This malware can then bypass macOS’s inter-process communication protections to masquerade as a trusted 1Password browser extension. It is then able to exfiltrate the contents of 1Password vaults, as well as obtain the account unlock key and other elements allowing it to log in.
No exploitation detected at this time
Fortunately, AgileBits, the maker of 1Password, says it has not received any reports of this vulnerability being exploited outside of its discovery by Robinhood’s security team, which responsibly notified 1Password after conducting an independent audit.
However, now that the details of the flaw are public, the risk of it being actively exploited by cybercriminals increases dramatically, making it crucial to update 1Password as soon as possible.
How to protect yourself?
The vulnerability has been fixed in 1Password for Mac version 8.10.36, so all users are advised to ensure they have this version or a newer one.
Normally, 1Password automatically checks for updates 5 minutes after opening, and then every day. You’ll see a notification if a new version is available when the app is unlocked. If it’s locked, the update is installed automatically in the background.
With millions of individual users and 150,000 business customers, 1Password is one of the most popular password managers, especially on Mac. While the exact number of vulnerable users is unknown, it is likely in the hundreds of thousands.
If you are a 1Password user on Mac, don’t take any chances and check now that you have applied the security patch. Your passwords will thank you!