Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

A critical security issue in 1Password for Mac left credentials vulnerable to attack

Marko Zivkovic |

1Password has disclosed a critical security flaw present in older versions of its popular password manager

1Password has disclosed a now patched critical security flaw in its software that could give attackers access to users' unlock keys and credentials. Here's what to do to keep your data safe.

In a security post, 1Password has revealed the exact details of the vulnerability, and which application versions are susceptible to attacks.

According to the company, all versions of 1Password for Mac before version 8.10.36 (July 2024) are vulnerable to the exploit. Thankfully, the issue can be resolved with relative ease by updating the 1Password application to version 8.10.36, which has already been made available.

There are currently no indications that the exploit has been used in the wild. The issue was discovered during an independent security assessment of the app by the Red Robinhood team, after which it was reported to 1Password.

Even so, the previously-mentioned security post recommends that users update their 1Password app if they are still using an affected version, which is any version of 1Password for Mac before 8.10.36.

1Password has also explained in detail how the exploit works:

An issue has been identified in 1Password for Mac that affects the app's platform security protections. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections.

To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI. This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and "SRP-x."

As mentioned earlier, the vulnerability can be patched by updating the 1Password for Mac application to version 8.10.36, as is recommended by the company.

14 Comments

CaptainQ 1 Year · 10 comments
About

sadly... a lot of people are still using the V7 because they do not want to pay a subscription, will it be patched?

2 Likes · 0 Dislikes
prof 13 Years · 109 comments
About

CaptainQ said:
sadly... a lot of people are still using the V7 because they do not want to pay a subscription, will it be patched?

Pretty much certainly not. Having said that, that vulnerability is a godsend, my better half unexpectedly passed away and I could really use access to her 1password vault... Any idea where to find an exploit?

1 Like · 0 Dislikes
CaptainQ 1 Year · 10 comments
About

prof said:
CaptainQ said:
sadly... a lot of people are still using the V7 because they do not want to pay a subscription, will it be patched?
Pretty much certainly not. Having said that, that vulnerability is a godsend, my better half unexpectedly passed away and I could really use access to her 1password vault... Any idea where to find an exploit?

Depends on where you live, but even if the person died, it might still be illegal to do so if it wasn't explicitly mentionned in the wishes. 

Xed 5 Years · 3158 comments
About

In a security post, 1Password has revealed the exact details of the vulnerability, and which application versions are susceptible to attacks.

According to the company, all versions of 1Password for Mac before version 8.10.36 (July 2024) are vulnerable to the exploit. Thankfully, the issue can be resolved with relative ease by updating the 1Password application to version 8.10.36, which has already been made available.

According to this company, this only affects iPassword 8 for Mac. That is an important distinction over the AI article. As someone who is still on version 9 because of all the missing features and wonky way of working in version 8 you had me scared that I was going to need to make a choice between security or utility. In that case I'm probably going to switch to a different solution because 1Password 8 for Mac sucks balls.

3 Likes · 0 Dislikes
tenfingers 14 Years · 30 comments
About

They had one job. They have been too focused on extracting more money out of users. I’m really hoping the new Apple password manager removes any need for a 3rd party app. 

3 Likes · 0 Dislikes
Read More on our Forums ->
 

Sponsored Content

article thumbnail

How Incogni Custom Removals remove your personal information from the internet

Top Stories

article thumbnail

Apple refutes Epic Games claim that it has blocked 'Fortnite' worldwide
article thumbnail

AirPods Max vs Sony XM6 - Over-ear headphones shootout
article thumbnail

iPhone Fold rumored to get both under-screen and hole-punch cameras
article thumbnail

CarPlay Ultra's first trial reveals a deeply integrated, Apple-like experience
article thumbnail

When Apple's WWDC changed the company and the world the most
article thumbnail

Killer deals: Grab a MacBook Air with 24GB RAM for just $1,087