About the issue
There is an issue that affects the way 1Password displays images in WebP format that can be used by an attacker to cause a heap buffer overflow. The issue affects 1Password 8 for Mac, Windows, and Linux versions prior to 8.10.15.
The 1Password issue was inherited from Google Chrome, where it was assigned vulnerability identifier CVE-2023-4863. A duplicate issue was reported with identifier CVE-2023-5129. 1Password uses components from Google Chrome and is therefore affected by the same issue. We have not received reports of this issue being exploited in 1Password. There are reports of the issue being exploited in Google Chrome.
Who may be affected
Anyone using 1Password 8 for Mac, Windows, or Linux prior to version 8.10.15 is affected by this issue. The issue does not affect 1Password for iOS or Android, nor earlier versions of 1Password.
Recommended action
If you’re using an affected version of 1Password 8 for Mac, Windows, or Linux, update to the latest version.
Impact and exploitability
An attacker who is able to show images in the WebP format to a victim using the 1Password app is able to perform a heap buffer overflow. The attacker can use this as a starting off point to achieve remote code execution or steal secrets from the other user’s device.
1Password only shows images provided by other users in the account, in the form of icons or avatars. As a result, an attacker needs to share an account with a victim to perform the attack.
By default, 1Password apps don’t permit creating WebP images. However, if an attacker uses a maliciously modified client, they may be able to create WebP images regardless. If that happens, 1Password apps will attempt to display these images and become susceptible to this issue.
Commentary
This issue is part of a wide ranging industry issue that impacts many apps that use the libwebp library to process WebP images.
We designed 1Password to substantially reduce the attack surface of vulnerabilities affecting Google Chrome for 1Password. 1Password apps do not and may not show arbitrary content from the web. This defense-in-depth measure provides protection against the majority of security bugs affecting the Chrome components we use. Regrettably, this instance shows this measure doesn’t cover all such bugs. We hope to improve our defense-in-depth stance even further in the future.