August 9, 2024 By Zeljka Zorz
Two vulnerabilities (CVE-2024-42219, CVE-2024-42218) affecting the macOS version of the popular 1Password password manager could allow malware to steal secrets stored in the software’s vaults and obtain the account unlock key, AgileBits has confirmed.
Discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and then privately reported to the software’s makers, the vulnerabilities have been fixed in two consecutive versions of the software: v8.10.36 (released on July 9) and v8.10.38 (released on August 6).
AgileBits says that they have received no reports that these issues were discovered or exploited by anyone else.
The vulnerabilities (CVE-2024-42219, CVE-2024-42218)
CVE-2024-42219 enables a malicious process – i.e., malware – running locally on a machine to bypass inter-process communication protections.
“An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI,” the company says.
CVE-2024-42218 may allow attackers to bypass macOS-specific security mechanisms by using outdated versions of the 1Password for Mac app.