Security News > 2024 > August > Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218)

Two vulnerabilities affecting the macOS version of the popular 1Password password manager could allow malware to steal secrets stored in the software's vaults and obtain the account unlock key, AgileBits has confirmed.

Discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and then privately reported to the software's makers, the vulnerabilities have been fixed in two consecutive versions of the software: v8.10.36 and v8.10.38.

"An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI," the company says.

CVE-2024-42218 may allow attackers to bypass macOS-specific security mechanisms by using outdated versions of the 1Password for Mac app.

"To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. If an attacker is able to load an old version of 1Password on a user's computer, they could then access 1Password associated secrets stored in the macOS Keychain," the advisory notes.

"This issue leverages out-of-date versions of 1Password that contain vulnerabilities in 3rd party dependencies and are missing security hardening measures enabled in all modern versions of 1Password. An attacker can use the existence of these old versions to create an attack on newer versions of the apps."

News URL

https://www.helpnetsecurity.com/2024/08/09/cve-2024-42219-cve-2024-42218/