OnePassword for Mac’s safety vulnerability made credentials prone to hacks.
1Password has revealed a critical flaw in older versions of the popular password manager.
1Password has revealed a critical security flaw that is now patched in its software. This could allow attackers to access unlock keys and credentials of users. Here’s how to keep your data secure. In a blog post, 1Password revealed the exact details about the vulnerability and which versions of the application are vulnerable to attacks. According to 1Password, all versions of 1Password Mac prior to version 8.10.36 (July 2024) are vulnerable to this exploit. The issue can be resolved relatively easily by updating 1Password to version 8.10.36. This has already been released. There are no indications yet that the exploit was used in the wild. The issue was found during an independent assessment of the app’s security by the Red Robinhood Team, and then reported to 1Password. The security post mentioned above recommends users update their 1Password apps if they still use an affected version. This is any version of 1Password Mac before 8.10.36. 1Password also explains in detail how the exploit is carried out: A problem has been identified with 1Password for Mac, which affects the platform security protections of the app. This issue allows a malicious process to bypass the inter-process communication security protections. To exploit the issue, an attack must run malicious software specifically targeting 1Password Mac. An attacker can exploit missing macOS-specific validations for inter-process communication to hijack or impersonate trusted 1Password integrations such as the 1Password CLI or browser extension. This would allow the malicious software to exfiltrate the vault items as well as obtain the derived values that are used to sign into 1Password. Specifically, the account unlock key, and “SRP x”. As mentioned earlier, this vulnerability can be fixed by updating 1Password for Mac to version 8.10.36. This is the recommended patch by the company.