CVE-2024-42219 – The Vulnerability
A critical vulnerability, designated as CVE-2024-42219, has been identified in 1Password 8 for Mac. This flaw allows malicious actors to exfiltrate vault items by bypassing the app’s platform security protections.
Robinhood’s Red Team responsibly disclosed the issue following an independent security assessment of 1Password for Mac.
What is CVE-2024-42219?
The vulnerability affects the inter-process communication (IPC) protections of 1Password for Mac. Specifically, a malicious process running locally on a machine can exploit this flaw to bypass IPC protections. This would enable an attacker to hijack or impersonate trusted 1Password integrations, such as the 1Password browser extension or Command Line Interface (CLI).
Who is Affected?
This vulnerability affects all versions of 1Password 8 for Mac before version 8.10.36 (released in July 2024). Users running these versions risk having their vault items exfiltrated by malicious software.
What Should You Do?
To mitigate this risk, users of affected versions are strongly advised to update to the latest version, 1Password for Mac 8.10.36. The updated version includes necessary patches to address the security flaw.
How Does the Exploit Work?
To exploit this vulnerability, an attacker must run malicious software on a target computer designed to exploit 1Password for Mac. The attacker can misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration. This could allow the exfiltration of vault items and the acquisition of derived values used to sign in to 1Password, including the account unlock key and “SRP-𝑥”.
1Password utilizes the system-native XPC interface for inter-process communication on macOS. XPC enforces additional protections through the hardened runtime, which prevents specific local attacks by ensuring processes have protections against tampering.
What Has Been Done?
This vulnerability resulted from missing inter-process validations, which has been addressed in the latest update. 1Password has expressed gratitude to Robinhood’s Red Team for their responsible disclosure, enabling the company to protect its customers proactively.
The company has confirmed that no one has reported discovering or exploiting this issue.
