1Password warns Mac users to patch to stop their vaults being accessed by hackers
Password manager company 1Password has released a security advisory concerning a flaw affecting the MacOS variant of its credential storage software.
One of the most popular password managers on the market, with over 15 million users in 2022, and around 150,000 businesses using the software, the vulnerability puts tens of millions of users’ password vaults at risk.
Vaults are a system introduced by 1Password to allow users to manage credentials they use across both their personal and professional accounts.
If successfully exploited, this flaw would be exploited by hackers to steal entire vaults from MacOS users running vulnerable versions of the software.
CVE-2024-42219 allows attackers to bypass inter-process communication protections by running malicious software locally on the machine and exfiltrate vault times.
“An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI,” 1Password’s advisory stated
“This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and ‘SRP-’.”
The issue affects all versions of 1Password 8 for Mac before 8.10.36 and has been resolved in all subsequent versions released by AgileBits, the company behind 1Password.
The flaw was discovered by security researchers at Robinhood after they conducted an independent security assessment of the 1Password software, and presented their findings at DEF CON 2024 in Las Vegas.
In its August 2024 security update, 1Password thanked Robinhood for its work in discovering the flaws, adding that collaboration is essential to secure an interconnected technology ecosystem.
“Strong security requires a collective effort from the entire technology ecosystem, and we believe that through active collaboration, the cybersecurity industry can create a more secure digital landscape for everyone.”
Attackers continue to target 1Password to crack corporate credentials
Last year, 1Password disclosed another high severity flaw, which offered attackers a fairly simple means by which of gaining a foothold on a corporate network, from which they can carry out further attacks.
CVE-2023-4863 is a heap buffer overflow in libwebp in Google Chrome that could allow a remote attacker to perform out-of -bounds memory write using a specially crafted HTML page.
Disclosed in September 2023, the issue, which the firm claimed was inherited from Google Chrome, affects versions of 1Password 8 for Mac, Windows, and Linux prior to 8.10.15.
1Password said the issue affects the way the password manager displays images in the WebP format, which could be used by a hacker to cause a heap buffer overflow, warning this could be used as a launching point for more disruptive attacks.
“An attacker who is able to show images in the WebP format to a victim using the 1Password app is able to perform a heap buffer overflow. The attacker can use this as a starting off point to achieve remote code execution or steal secrets from the other user’s device”.
1Password only shows uploaded images to other users in the account, meaning the attacker would need to share an account with the victim in order to carry out the attack, however.
By default, the password manager doesn’t allow users to create WebP images, but the firm warned that if the attacker used a maliciously modified client they would be able to create WebP images anyway.
If they are able to do so, the firm said 1Password apps will attempt to display the images and become open to attack via CVE-2023-4863.