Summary
1Password 8 desktop app settings are stored in a JSON file on disk. A lack of protections allowed settings to be changed by updating the JSON file, which required standard user access to the computer. No authentication to 1Password was required to change these settings. As a result, it was possible for 1Password settings to be modified by malicious actors. While this means that someone with access to the device could potentially alter security-related settings, the issue is limited to cases where the computer is already compromised. This issue was fixed in 1Password version 8.10.38 (August 2024).
Who is affected
This issue affects all 1Password desktop app versions before 8.10.38 (August 2024). This issue was fixed in 1Password version 8.10.38 (August 2024) by requiring 1Password authentication and enforcing integrity checks before settings can be changed.
1Password 7 desktop apps are affected by a similar settings integrity issue, even though the technology behind the settings is slightly different than 1Password 8 desktop apps.
The reported issue is classified as a “local attack,” which means a malicious actor would need to gain access to an end user’s computer before they could exploit the issue. This would require malware, for example, to be installed on the user’s computer. The possibility of local attacks, such as malware, is a risk not just for password managers but for all software.
Recommended action
If you’re using an affected version of 1Password 8, update to the latest version.
If you’re using an affected version of 1Password 7, an updated version of 1Password 7 is not available due to the low severity of the issue, as it’s a “local attack.” We recommend you upgrade to 1Password 8 if you’re concerned about local threats.
Impact and Exploitability
This issue leverages the permissions operating systems grant to software running as the user to alter files on the machine, including the 1Password settings file. This represents standard operating system functionality and not a weakness in 1Password. For this reason, we consider this a limitation in the operating system’s ability to isolate processes, rather than an issue specific to 1Password.
If a device is compromised with any malicious software that runs as the user, that software has the ability to modify files the user owns. In that scenario, a malicious actor would only be able to modify the 1Password settings file, but would not be able to inject any arbitrary data or code into the 1Password desktop app.
Commentary
To further enhance the security of our desktop applications, a new mechanism has been introduced to add integrity checks in the form of cryptographic signatures within the settings.json file. This mechanism will detect and reset unsigned sensitive settings to their default value. This provides an additional layer of protection should a device be compromised, by making it more difficult for malicious software to force the 1Password desktop applications to use attacker-desired settings.
The cryptographic keys used to sign these potentially sensitive settings are only available while the 1Password desktop application is unlocked.
Help
Settings Reset Message
While this enhancement has been deployed in our beta version for some time with successful results, with the 8.10.38 production release, a small subset of users are seeing a message as a result of a settings reset that they did not expect.
Our team is continuing to investigate why a small group of users had an unexpected settings reset, which triggered this message. We will make the appropriate modifications required to make sure that it does not cause further confusion.
So far, we have determined two scenarios where settings would be reset unexpectedly, triggering the Settings Reset message, and we’re working to remedy both. These can occur if:
- You reset the 1Password application or signed out of all your accounts at least once in the last year, or
- Some settings changed or set in the past were not formatted to match the latest settings specification.
In the meantime, we recommend that you update your settings to your desired configuration. If you see this message again, check your device for any software that may be attempting to modify your 1Password settings and send us a diagnostics report using the steps in the support guide.
We appreciate your patience while this situation was investigated, and are happy to answer any additional questions.
Thank you to Robinhood’s Red Team for responsibly disclosing this issue to 1Password and allowing us to protect our users. For more information about the Red Team’s findings, refer to our blog.