A vulnerability in 1Password 8 for Mac has been identified, allowing downgrade attacks that could expose the contents of users' vaults.
The two flaws, tracked as CVE-2024-42218 and CVE-2024-42219, were uncovered during an independent security assessment conducted by Robinhood's Red Team, which responsibly disclosed the issue to the 1Password team. This vulnerability primarily targets older versions of 1Password for Mac, enabling malicious actors to bypass macOS security mechanisms and potentially access sensitive data stored within the application.
The first vulnerability, CVE-2024-42219, affects 1Password versions before 8.10.36, released in July 2024. This flaw allows a malicious process running locally on a macOS machine to bypass inter-process communication (IPC) protections.
Specifically, the attacker could hijack or impersonate trusted 1Password integrations such as the browser extension or command-line interface (CLI). Exploiting this vulnerability would enable the exfiltration of vault items and sensitive values, such as the account unlock key and the SRP-𝑥, which are critical components in the secure login process of 1Password.
The second vulnerability, CVE-2024-42218, impacts versions before 8.10.38, released in August 2024. This issue exploits outdated versions of 1Password, allowing attackers to bypass macOS-specific security features. By loading an old version of 1Password on a user's device, a malicious actor could gain access to 1Password-associated secrets stored in the macOS Keychain, again leading to the exfiltration of vault contents and sensitive login credentials.
1Password is a widely-used password manager designed to securely store and manage users' passwords, credentials, and other sensitive information. With a significant user base, particularly among those who prioritize digital security, the discovery of these vulnerabilities highlights the importance of staying updated with the latest software versions.
Although no reports suggest these vulnerabilities have been exploited in the wild, the potential risk is significant.
To mitigate the risk posed by these vulnerabilities, users of 1Password for Mac are strongly advised to update to the latest version immediately.
Version 8.10.38 addresses both flaws by enhancing the security of inter-process communication and preventing the exploitation of outdated versions.
ADT Inc. Reports Cybersecurity Incident Exposing Customer Information
Leave a Reply