A critical security issue in 1Password for Mac left credentials vulnerable to attack
1Password has disclosed a now patched critical security flaw in its software that could give attackers access to users' unlock keys and credentials. Here's what to do to keep your data safe.
1Password has disclosed a critical security flaw present in older versions of its popular password manager
In a security post, 1Password has revealed the exact details of the vulnerability, and which application versions are susceptible to attacks.
According to the company, all versions of 1Password for Mac before version 8.10.36 (July 2024) are vulnerable to the exploit. Thankfully, the issue can be resolved with relative ease by updating the 1Password application to version 8.10.36, which has already been made available.
There are currently no indications that the exploit has been used in the wild. The issue was discovered during an independent security assessment of the app by the Red Robinhood team, after which it was reported to 1Password.
Even so, the previously-mentioned security post recommends that users update their 1Password app if they are still using an affected version, which is any version of 1Password for Mac before 8.10.36.
1Password has also explained in detail how the exploit works:
An issue has been identified in 1Password for Mac that affects the app's platform security protections. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections.
To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI. This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and "SRP-x."
As mentioned earlier, the vulnerability can be patched by updating the 1Password for Mac application to version 8.10.36, as is recommended by the company.
Read on AppleInsider
Comments
So why did you choose to move from a self-hosted server with 1Password to a self-hosted server with Bitwarden?
It's certainly nicer than Keychain for the average user, but that's about it for benefits at this stage.
2) I do like that it includes your WiFi passwords and SSIDs, but I've never had a problem with how those are stored in Network Settings.
3) I just noticed that there is a Share option. I wonder if that will dynamically update passwords and allow for read-only, edit, and owner modes for the info.
- I don't trust cloud services. Privacy is not a problem in this particular case (probably), but reliability and long time availability is always a concern. I've been bitten by this so many times that I avoid "cloud" offerings like the pest.
- I don't like subscriptions for life essential things. Even if I go broke or die or the operator of the service ceases to exist or gets the Google treatment, life has to go on without me (or someone else) having to scramble to find suitable replacement for many people and devices.
1Password has been really hostile to the non-cloud/subscription approach. I've been a strong supporter since version 2 (or 3) and bought each version for the whole family; I have absolutely no problem forking out some dough, one-time, to get a decent product which works for many years to come. But then came the "no standalone vaults" policy for mac with 1Password 7 and the huge kerfuffle on pulling the old app from the app store and not allowing to use standalone vaults in the new version on iOS (which they back-paddled later a bit) which really annoyed the heck out of me. On Mac I was stuck with 1Password 6 which became really annoying with its inefficiency on ARM and dropping browser support.Ever since 1Password 7 I've been looking for a replacement and I've decided to real life test Bitwarden a few weeks ago.
Don't get me wrong. Even 1Password 6 is a much better product than Bitwarden is today, the user interface of the latter on Mac is utter shite -- it's really just about bearable; the iOS version is a lot more usable but still lacking in features. 1Password quite literally forced me to quit them with the unacceptable cloud and subscription policy and if they ever decide to reverse course and offer standalone usable versions again, I'll be first in line to buy them.
I totally believe and trust that 1Password has the expertise (unlike other services) to keep the data secure and private (in fact, too strong security is kind of an issue in itself currently with my deceased partner), but I don't have any trust in data safety (loss and corruption) as well as operations contingency of some random cloud service. I do trust my own capabilities, however, to host my own services and data and keep the show running until I kick the bucket (and some time beyond that); is the whole system inpenetrable? Nah, certainly not, but it'll be a good challenge for anyone just to get behind the first line of defence...