Summary
An issue has been identified that affects the security protections of 1Password on macOS. This issue allows attackers to use outdated versions of the 1Password for Mac app to bypass macOS-specific security mechanisms, potentially enabling the theft of sensitive information from the app.
This issue was responsibly disclosed to us by Robinhood’s Red Team after they chose to conduct an independent security assessment of 1Password for Mac. 1Password has received no reports that this issue was discovered or exploited by anyone else.
Who is affected
This issue affects all 1Password 8 for Mac versions before 8.10.38 (August 2024). 1Password for Mac 8.10.38 (August 2024) prevents this issue from being exploitable.
1Password 7 for Mac is not affected by this issue.
Recommended action
If you’re using an affected version of 1Password 8 for Mac, update to the latest version.
Impact and Exploitability
To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. If an attacker is able to load an old version of 1Password on a user’s computer, they could then access 1Password associated secrets stored in the macOS Keychain.
This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and “SRP-𝑥”. Learn more on page 19 of 1Password Security Design.
This issue leverages out-of-date versions of 1Password that contain vulnerabilities in 3rd party dependencies and are missing security hardening measures enabled in all modern versions of 1Password. An attacker can use the existence of these old versions to create an attack on newer versions of the apps.
Calcuated CVSS 3.1 Score - 6.3 (Medium)
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
This issue requires local access to the user’s computer with standard or low user privileges. The attack is complex for an attacker to accomplish, but does not require user interaction. A successful exploitation of the attack will not allow an attacker to directly gain access to other resources on the computer. The confidentiality and integrity impact are high, but there is no availability impact.
Commentary
We want to be able to do everything we can to protect data from local threats. On our blog, we discussed what we can and can’t do locally on devices. We consider this to be an example of a local threat that we can provide some protections against.
As part of its secure development lifecycle, 1Password regularly addresses security vulnerabilities in its products and the components it uses. This issue demonstrates that it’s not always enough to patch security vulnerabilities in the latest version. An adjustment in how platform security features are configured, such as the macOS Keychain, is sometimes also required to make sure that past 1Password versions can’t automatically access secrets in newer versions. We’ll continue to be vigilant about protecting our apps and users against this style of attack.
Thank you to Robinhood’s Red Team for responsibly disclosing this issue to us and allowing us to protect our users. For more information about the Robinhood Red Team’s findings, refer to our blog.