A serious security vulnerability has been discovered in 1Password 8 for Mac, impacting versions prior to 8.10.36. This flaw, identified as CVE-2024-42219, was responsibly disclosed by Robinhood’s Red Team, highlighting a critical issue in the app’s platform security protections. The vulnerability allows a malicious process running locally on a Mac to bypass inter-process communication protections, posing a significant risk to users.
Who Is Affected?
This issue affects all users of 1Password 8 for Mac versions before 8.10.36, released in July 2024. The vulnerability enables attackers to misuse the missing macOS-specific inter-process validations to hijack or impersonate trusted 1Password integrations, such as the browser extension or command-line interface (CLI). This could lead to unauthorized access to sensitive vault items and derived values used for account sign-ins.
Immediate Action Required
1Password users are strongly advised to update to version 8.10.36 immediately to mitigate the risk. The latest update resolves the vulnerability, ensuring that the app’s security protections function as intended. To update, users can visit the official 1Password support page.
Protecting Users
The discovery of this vulnerability underscores the importance of regular security assessments and prompt updates. 1Password has expressed gratitude to Robinhood’s Red Team for their responsible disclosure, which has allowed the company to address the issue swiftly and protect its users from potential exploitation.
The CVE-2024-42219 vulnerability in 1Password 8 for Mac is a stark reminder of the evolving threats in the digital landscape. Users must stay vigilant and ensure their software is up to date to maintain the highest level of security.