PSA: Using 1Password for Mac? Update Now to Avoid This Security Threat
Toggle Dark Mode
There are many good reasons to use a password manager, and 1Password is among the best. However, even the most diligent and security-focused apps occasionally fall prey to vulnerabilities. What separates a good app from a bad one isn’t whether it encounters security issues but how its developers respond to them.
That’s why it’s always essential to keep your apps and operating systems up to date. Whether it’s Apple’s iOS or third-party apps, security researchers are constantly finding and reporting new vulnerabilities. Ideally, these are patched as quickly as possible, but if you’re not staying up to date, you’re not benefiting from these fixes — and there are few apps where it’s more important to do so than the one that stores the passwords for your entire life.
On Monday, 1Password shared details on a common vulnerability (CVE) that had been discovered in the Mac version of 1Password that could have allowed another app on your Mac to “exfiltrate vault items” — that is to say, read all your passwords and other secure information.
An issue has been identified in 1Password for Mac that affects the app’s platform security protections. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections.
Fortunately, the issue was discovered and fixed nearly a month ago, and to the best of the knowledge of the 1Password team and the folks who found it — Robinhood’s Red Team (yes, that Robinhood) — it wasn’t discovered by anyone else or exploited before it could be fixed.
1Password notes that it only affects “versions before 8.10.36” and was resolved in that version, which was released on July 9. Since we’re now at 8.10.39, chances are good that you’re already running a version that includes the fixes. However, here’s how to make sure:
- Open 1Password on your Mac.
- Select 1Password from the menu bar.
- Choose About 1Password.
- Note the version number. If it’s not at least 8.10.36, click Check for Updates to download and install the latest version.
By default, 1Password installs updates automatically, so if you’re behind, you’ll want to check that by clicking the Advanced tab from that same dialog box and ensuring “Install updates automatically” is enabled.
What Are the Risks?
1Password patched this vulnerability before anyone else knew about it. It also waited nearly a month to disclose it to the public to ensure that most of its customers would have automatically updated to the latest version. Hence, it’s extremely unlikely anyone was able to take advantage of this.
Further, this particular vulnerability had a limited attack vector. It only potentially allowed other apps installed on your Mac to gain access to the data stored in the 1Password for Mac app. This vulnerability didn’t expose data directly from the cloud or your other devices, nor did it open up 1Password on your Mac to malicious web or Javascript apps.
In other words, this could only be exploited by a malicious app that you had deliberately installed on your Mac — and that app had to be precisely designed to target this specific 1Password vulnerability; this wasn’t a case of random malware being able to pick up “leaked” information.
To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI.
As most security experts will tell you, once malicious software is installed directly on your device, it’s “game over” — your security has already been compromised in numerous other ways. However, 1Password does its best to protect your data through its own security features and those that Apple has built into macOS. Still, now that information about this vulnerability is in the public view, it’s critical that you ensure 1Password is up to date as hackers are undoubtedly already trying to exploit it in hopes of finding folks running older versions of 1Password who might not be careful enough about the apps they install on their Macs.