Critical 1Password Vulnerability Exposes User Vaults

Lilu Anderson
Photo: Finoracle.net

CVE-2024-42219 – The Vulnerability

A critical vulnerability, designated as CVE-2024-42219, has been identified in 1Password 8 for Mac. This flaw allows malicious actors to exfiltrate vault items by bypassing the app’s platform security protections.

Robinhood’s Red Team responsibly disclosed the issue following an independent security assessment of 1Password for Mac.

What is CVE-2024-42219?

The vulnerability affects the inter-process communication (IPC) protections of 1Password for Mac. Specifically, a malicious process running locally on a machine can exploit this flaw to bypass IPC protections. This would enable an attacker to hijack or impersonate trusted 1Password integrations, such as the 1Password browser extension or Command Line Interface (CLI).

Who is Affected?

This vulnerability affects all versions of 1Password 8 for Mac before version 8.10.36 (released in July 2024). Users running these versions risk having their vault items exfiltrated by malicious software.

What Should You Do?

To mitigate this risk, users of affected versions are strongly advised to update to the latest version, 1Password for Mac 8.10.36. The updated version includes necessary patches to address the security flaw.

How Does the Exploit Work?

To exploit this vulnerability, an attacker must run malicious software on a target computer designed to exploit 1Password for Mac. The attacker can misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration. This could allow the exfiltration of vault items and the acquisition of derived values used to sign in to 1Password, including the account unlock key and “SRP-𝑥”.

1Password utilizes the system-native XPC interface for inter-process communication on macOS. XPC enforces additional protections through the hardened runtime, which prevents specific local attacks by ensuring processes have protections against tampering.

What Has Been Done?

This vulnerability resulted from missing inter-process validations, which has been addressed in the latest update. 1Password has expressed gratitude to Robinhood’s Red Team for their responsible disclosure, enabling the company to protect its customers proactively.

The company has confirmed that no one has reported discovering or exploiting this issue.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.