Summary
An issue has been identified in 1Password for Mac that affects the app’s platform security protections. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections.
This issue was responsibly disclosed to us by Robinhood’s Red Team after they chose to conduct an independent security assessment of 1Password for Mac. 1Password has received no reports that this issue was discovered or exploited by anyone else.
Who is affected
This issue affects all 1Password 8 for Mac versions before 8.10.36 (July 2024). The issue is resolved in 1Password for Mac version 8.10.36 (July 2024).
1Password 7 for Mac is not affected by this issue.
Recommended action
If you’re using an affected version of 1Password 8 for Mac, update to the latest version.
Impact and Exploitability
To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI.
This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and “SRP-𝑥”. Learn more on page 19 of 1Password Security Design.
Calculated CVSS 3.1 Score - 6.3 (Medium)
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
This issue requires local access to the user’s computer with standard or low user privileges to execute the attack. The attack is complex for an attacker to accomplish, but does not require user interaction if the 1Password desktop app is in an unlocked state. A successful exploitation of the attack will not allow an attacker to directly gain access to other resources on the computer. The confidentiality and integrity impact are high, but availability impact is none.
Commentary
On macOS, 1Password uses the system-native XPC interface for inter-process communication. XPC allows enforcing additional protections called the hardened runtime which allows enforcing processes you communicate with have additional protections from process tampering. This prevents certain local attacks from being possible.
Thank you to Robinhood’s Red Team for responsibly disclosing this issue to us and allowing us to protect our users. For more information about the Robinhood Red Team’s findings, refer to our blog.