AGILEBITS, the developer of the popular password manager 1PASSWORD, has confirmed the presence of a critical security vulnerability that allows attackers to gain access to the storage elements such as passwords and keys used to unlock accounts of users on MacOS.
The vulnerability, known as CVE-2024-42219 with a CVSS score of 7.0, enables a malicious process to bypass the inter-processing of MacOS and exploit the elements of 1password storage. This includes obtaining the key to unlock the account and the SRP values used to access the service. SRP (Secure Remote Password) is a security level provided by 1password to access its storage.
Despite the vulnerability, 1Password offers a multilevel security system, which includes an additional 128-bit secret key created on the user’s device and unknown to Agilebits employees.
The vulnerability was discovered by the Robinhood Red Team security team, and Agilebits promptly fixed it in the 1password version 8.10.38. The company expressed gratitude to the security researchers and pledged to share more details in its blog post following their presentation at the DefCon conference.
All users of the eighth version of 1password for MacOS are advised to update their applications to the latest version (8.10.36) to protect against CVE-2024-42219. The attacker would need to convince the user to run malicious software on their computer to exploit the vulnerability.
Agilebits assured users that, to the best of their knowledge, the vulnerability had only been discovered and used by the Robinhood Red Team researchers and no other unauthorized party. Nevertheless, they urge all MacOS 1password users to update their applications for added security.
Fortunately, 1password automatically checks for updates five minutes after launch and does so daily. Users will receive a notification for an available update if the application is unlocked, and the app will update automatically if it is locked.