High-Risk Security Vulnerability Detected in Password Manager 1Password, Users Urged to Upgrade Immediately
Brook.X
The well-known password manager 1Password has recently been identified as having a high-risk security vulnerability. This vulnerability was discovered by security researchers participating in the DEFCON hacking contest and is set to be disclosed in a presentation this Saturday. The researchers informed 1Password ahead of time to allow for the issue to be addressed.
Typically, password managers use a master password to unlock data. In 1Password, this password manager employs a 128-bit key for additional encryption, which must be used in conjunction with the master password. However, malicious software can bypass inter-process communication safeguards to steal the key.
Currently, this vulnerability only affects the 1Password for Mac version, and it has been fixed in the new version 8.10.38. Therefore, users are advised to check and upgrade to the latest version immediately to ensure their security.
CVE-2024-42219 Vulnerability:
Malicious software processes running on a device can bypass inter-process communication protections. This allows them to steal 1Password vault data, including various accounts and passwords, and obtain derived values used to log in to 1Password, especially the account unlock key and SRP-x (Secure Remote Password).
1Password has confirmed that attackers could exploit the vulnerability to impersonate the password manager's browser extension and thereby gain data. However, the vulnerability has not yet had any impact, with evidence suggesting that, aside from security researchers, no hackers have discovered or exploited this vulnerability to launch attacks.
Due to security considerations, the specific details of the vulnerability will not be disclosed by researchers and 1Password for the time being. The details will be made public after the researcher's presentation at the DEFCON hacking contest this Saturday. 1Password's automatic update policy will complete the upgrade of all older versions within the next two days.
1Password's statement reads:
Researchers have found that security flaws could arise when a device is compromised by malicious software and hackers gain complete control of the device. Once malicious software or hackers have full control of a device, security can almost never be guaranteed.
We have addressed the latest vulnerability within our control and fixed the issue in the 8.10.38 client version. We are grateful to the researchers for disclosing the vulnerability and collaborating with us on the fix before their presentation at 2 p.m. (Pacific Time) this Saturday at the DEFCON conference.
We are committed to maintaining transparency on cybersecurity issues to ensure user safety. After the presentation, we will publish more information about this vulnerability on our official blog.
