AgileBits, the developer behind the 1Password password manager, has disclosed a severe security vulnerability that could potentially allow attackers to extract sensitive information from macOS users.
The 1Password vulnerability, identified as CVE-2024-42219, involves a critical 1Password security flaw that could enable malicious actors to obtain account unlock keys and other vault items through a compromised local process.
The 1Password vulnerability, CVE-2024-42219, allows a malicious process on a macOS device to bypass inter-process communication protections.
According to 1Password’s support statement, this flaw could permit the exfiltration of vault items and the acquisition of derived values necessary for signing into 1Password, including the account unlock key and SRP-𝑥.
The SRP (Secure Remote Password) protocol is a critical part of the security framework protecting 1Password vaults.
1Password Vulnerability Targets macOS Devices
In terms of data encryption, 1Password utilizes a 128-bit secret key combined with the master password to secure vault contents. This secret key is generated on the user’s device and is not accessible to 1Password itself, adding an extra layer of security.
The CVE-2024-42219 vulnerability affects 1Password for macOS, specifically versions of 1Password 8 for Mac before 8.10.36. To exploit this security flaw, attackers would need to specifically target users of 1Password for Mac and persuade them to run malicious software on their devices.
The vulnerability arises from inadequate macOS-specific inter-process validations, which an attacker could exploit to impersonate a 1Password browser extension.
The macOS XNU (macOS kernel) inter-process communication framework is designed to enforce ‘hardened runtime’ protections, which should prevent tampering and local attacks.
However, during an independent security assessment by the Robinhood Red Team, a method was discovered to bypass these protections.
AgileBits’ Response and Mitigation for 1Password Vulnerability
AgileBits has confirmed that, to date, the 1Password vulnerability identified as CVE-2024-42219 has not been reported as being exploited by anyone other than the Robinhood Red Team researchers. The company is working closely with the researchers and has addressed the issue in the latest update.
According to Forbes, a spokesperson from 1Password addressed the situation regarding recent security vulnerabilities. The spokesperson explained that Robinhood’s Red Team identified issues that could occur when a device is compromised by malware, giving attackers full control. When this level of control is achieved, securing the device becomes very difficult.
1Password has responded to these vulnerabilities by releasing an update, version 8.10.38, which addresses the issues identified. The spokesperson expressed appreciation for the Red Team’s collaboration and disclosure of the vulnerabilities before their DEFCON presentation, emphasizing 1Password’s commitment to transparency and user safety.
Users of 1Password for macOS are advised to update their applications immediately. The 1Password vulnerability has been patched in version 8.10.36 of 1Password for Mac. The application is designed to check for updates every five minutes upon opening, and users should receive a notification if an update is available. If the application is locked, it will update itself automatically.
