About the issue
An issue was discovered in 1Password for Mac versions 7.2.4 to 7.9.2. The issue allowed a malicious program running locally on a computer alongside 1Password for Mac to communicate with the app when unlocked and obtain secrets from it. The secrets that could be obtained include items stored in the app.
This issue was discovered internally by 1Password developers in April 2022. 1Password has no reason to believe that this issue has been discovered or exploited by anyone else. It has been assigned identifier CVE-2022-29868 in the Common Vulnerabilities and Exposures database.
Who may be affected
Anyone using 1Password for Mac versions 7.2.4 to 7.9.2 may be affected. The issue is resolved in 1Password 7.9.3 for Mac.
This issue does not affect 1Password 8 or 1Password on other platforms.
If you’re using an affected version of 1Password for Mac, update to the latest version of 1Password for Mac.
Impact and exploitability
Exploiting this issue requires an attacker to run malicious software on a computer specifically targeting 1Password for Mac. When 1Password is unlocked, such malicious software could misuse a logic bug to bypass validations 1Password performs when communicating with other processes. This would permit the malicious software to read vault items, as well as obtain derived values used to sign in to 1Password: specifically, the account unlock key and “SRP-𝑥”.
1Password can only provide limited protection when you’re using a machine that’s been compromised with malicious software. Although no app can guarantee data protection on a machine compromised by malicious software, 1Password should always provide as much protection as feasible. To mitigate the impact of malicious software, 1Password should correctly verify whether other software on your computer is allowed to communicate with it.
We’re sorry that we haven’t upheld these local protections in this case. We’ve made improvements to our processes to make sure that bugs of this nature are more easily spotted by us in the future.