https://www.forbes.com/sites/daveywinder/2024/08/07/critical-1password-security-flaw-could-let-hackers-steal-unlock-key/

Subscribe To Newsletters
 
 
BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

 
Aug 7, 2024,02:21pm EDT
iOS 17.6.1--Apple's Unexpected New iPhone Update Has Just Landed
 
Aug 7, 2024,01:00pm EDT
Samsung And Pixel Deadline--21 Days To Update Or Stop Using Your Phone
 
Aug 7, 2024,11:15am EDT
Google Releases Critical New Chrome Update--1 Billion Windows Users
Must Install
 
Aug 7, 2024,10:30am EDT
Hackers Have Exploited An 18-Year-Old '0.0.0.0-Day' Loophole In
Safari, Chrome And Firefox
 
Aug 7, 2024,10:19am EDT
From Crash To Clarity: Dissecting CrowdStrike's Root Cause Analysis
 
Aug 7, 2024,08:03am EDT
CrowdStrike Reveals What Happened, Why--And What's Changed
 
Aug 7, 2024,03:45am EDT
Google Updates Millions Of Pixel Phones--Check Your Settings Now
Edit Story
ForbesInnovationCybersecurity

Critical 1Password Security Flaw Could Let Hackers Steal Unlock Key

Davey Winder
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Davey Winder is a veteran cybersecurity writer, hacker and analyst.
Following
 
Aug 7, 2024,11:39am EDT
Updated Aug 7, 2024, 01:14pm EDT

  * Share to Facebook
  * Share to Twitter
  * Share to Linkedin

1Password has fixed a flaw allowing attackers to exfiltrate vault
items on macOS

getty

AgileBits, the developer of the hugely popular 1Password password
manager, has confirmed that a critical security vulnerability could
have allowed an attacker to exfiltrate password vault items and
potentially obtain account unlock keys from macOS users.

What Is CVE-2024-42219?

In a 1Password support posting it was stated that CVE-2024-42219
could enable a "malicious process running locally on a machine to
bypass inter-process communication protections" and allow the
malicious software in question to "exfiltrate vault items, as well as
obtain derived values used to sign in to 1Password, specifically the
account unlock key and SRP-x." SRP refers to the Secure Remote
Password and forms just one part of the multi-layer security
protecting access to 1Password vaults.

When it comes to 1Password data encryption, passwords have an
additional layer of protection by way of a 128-bit secret key that
must be used in conjunction with your master password to decrypt
anything. This is created using your own device and is not known to
1Password.

A 1Password spokesperson gave me the following statement:

"Robinhood's Red Team found vulnerabilities that can occur when a
device is compromised by malware and a malicious actor has full
control over it. When malware or a malicious user gains full control
over a user's device, there is little that can be done to guarantee
its security. We have since addressed the vulnerabilities within our
control, with the latest updates rolled out in the 8.10.38 client app
release. We appreciate that Robinhood's Red Team disclosed and
collaborated closely with us to address these issues ahead of their
presentation at DEFCON this Saturday at 2pm PT. We're committed to
transparency about security issues and keeping our customers safe and
will publish more details on our blog after their presentation."


Check your Mac version of 1Password is up to date

AgileBits/Davey Winder
MORE FOR YOU

Apple iPhone 16, iPhone 16 Pro Release Date: New Report Reveals
Extraordinary Strategy

HBO Reveals When 'House Of The Dragon' Will Come To An End

NASA Urges Public To Leave The City For The Perseid Meteor Shower
This Weekend

Which 1Password Accounts Does CVE-2024-42219 Impact?

The security vulnerability was found within 1Password for macOS and
targets users of all 1Password 8 for Mac versions before 8.10.36. To
exploit this vulnerability, an attacker would have to specifically
target 1Password for Mac users and convince them to run malicious
software on their computer. An attacker could, the 1Password support
posting confirmed, abuse missing macOS-specific inter-process
validations in order to impersonate a 1Password browser extension.

ForbesSmart Guessing Algorithm Cracks 87 Million Passwords In Under
60 SecondsBy Davey Winder

The macOS XNU (macOS kernel) inter-process communication framework is
system-native and used by 1Password to enforce 'hardened runtime'
protections that should prevent tampering with such processes and,
therefore, prevent certain types of local attacks from taking place.
The Robinhood Red Team hackers found a way around this protection
during an independent security assessment of 1Password for Mac.

AgileBits has confirmed that, as far as it is aware, the issue has
not been discovered or exploited by anyone other than the researchers
themselves. 1Password has received no reports to the contrary, it
said.

Mitigating The 1Password For Mac Security Vulnerability

All users of 1Password for macOS are advised to ensure they have
updated to the latest version of password manager application as a
matter of urgency. The security flaw has been patched in 1Password
for Mac version 8.10.36, so users should check they have this version
or later installed.

Check for updates to be sure you are protected

AgileBits/Davey Winder

Thankfully, 1Password checks for such updates five minutes after the
application is opened and does so every day. You should see a
notification concerning an available update if the app is unlocked.
If the app is locked, then it will update itself automatically.

ForbesGoogle Says Sorry After Passwords Vanish For 15 Million Windows
UsersBy Davey Winder
Follow me on Twitter or LinkedIn. Check out my website or some of my
other work here. 
Davey Winder
Davey Winder
Following

  * Editorial Standards
  * Print
  * Reprints & Permissions

Join The Conversation

Comments 

One Community. Many Voices. Create a free account to share your
thoughts. 

Read our community guidelines  here.
[community-]

Forbes Community Guidelines

Our community is about connecting people through open and thoughtful
conversations. We want our readers to share their views and exchange
ideas and facts in a safe space.

In order to do so, please follow the posting rules in our site's 
Terms of Service.  We've summarized some of those key rules below.
Simply put, keep it civil.

Your post will be rejected if we notice that it seems to contain:

  * False or intentionally out-of-context or misleading information
  * Spam
  * Insults, profanity, incoherent, obscene or inflammatory language
    or threats of any kind
  * Attacks on the identity of other commenters or the article's
    author
  * Content that otherwise violates our site's terms.

User accounts will be blocked if we notice or believe that users are
engaged in:

  * Continuous attempts to re-post comments that have been previously
    moderated/rejected
  * Racist, sexist, homophobic or other discriminatory comments
  * Attempts or tactics that put the site security at risk
  * Actions that otherwise violate our site's terms.

So, how can you be a power user?

  * Stay on topic and share your insights
  * Feel free to be clear and thoughtful to get your point across
  * 'Like' or 'Dislike' to show your point of view.
  * Protect your community.
  * Use the report tool to alert us when someone breaks the rules.

Thanks for reading our community guidelines. Please read the full
list of posting rules found in our site's Terms of Service.