CVE-2021-41795 for versions 7.7.0-7.8.6 of 1Password for Mac

Published:

About the issue

An issue was discovered in the Safari extension bundled with versions 7.7.0 to 7.8.6 of 1Password for Mac. The issue allowed a malicious web page to autofill items in certain categories without user interaction when 1Password is unlocked. Information from the following items could be obtained:

  • Login and Password items, only if:
    • They match the (malicious) web page’s domain, or
    • They’re not associated with any domain
  • Identity items
  • Credit card items

A malicious web page could not obtain information from any other items, including Login and Password items for other domains. For example, a malicious web page on sneakywebsite.com could not access information from an item associated with realwebsite.com.

This issue was discovered and responsibly disclosed to us by a security researcher who goes by Megamind. 1Password has no reason to believe that this issue has been discovered or exploited by anyone else. It has been assigned identifier CVE-2021-41795 in the Common Vulnerabilities and Exposures database.

Who may be affected

Anyone using the Safari extension bundled with versions 7.7.0 to 7.8.6 of 1Password for Mac may be affected. The issue is resolved in 1Password 7.8.7 for Mac.

This issue does not affect 1Password in other browsers, on other platforms, nor 1Password 8.

If you’re using an affected version of 1Password for Mac, update to the latest version of 1Password for Mac.

Impact and exploitability

Exploiting this issue requires an attacker to inject malicious JavaScript into a site that specifically targets the 1Password extension for Safari. This could be done through a cross-site scripting attack or by tricking a user into visiting a malicious website. When a user visits such a website the attacker is able to trick the extension into providing item data and collecting it.

Commentary

1Password should only ever fill your data with your permission. You should always be in control. That means we consider bugs that circumvent your permission to be very important and have taken steps to prevent this from happening again. We’re happy that Megamind shared this issue directly and privately with us and look forward to working with them in the future.