1Password urges Mac users to patch now to avoid having their data stolen

1Password
(Image credit: 1Password)

1Password, one of the best password managers around right now, has urged Mac users to download a patch for their credential storage after a bug was discovered that allows attackers to crack open vaults.

1Password allows users to create password vaults within the app to separate their credentials between work and personal life for example.

But this vulnerability, tracked as CVE-2024-42219 with a CVSS of 7.0, could be exploited by attackers to steal entire vaults of passwords from macOS users running 1Password version 8.10.36.

Cracking the vault

The flaw was discovered by security teams from Robinhood, who decided to test the 1Password app for vulnerabilities. Specifically, the National Vulnerability Database describes the flaw as allowing “local attackers to exfiltrate vault items because XPC inter-process communication validation is insufficient.”

In an advisory, the company stated, “To exploit the issue, an attacker must run malicious software on a computer specifically targeting 1Password for Mac. An attacker is able to misuse missing macOS-specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI.”

“This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and “SRP-𝑥”.”

The only way to exploit this flaw, an attacker would have to trick the users into installing a custom made program on the target machine, but so far there is no evidence that this has been done in the wild.

1Password states that around 150,000 businesses rely on 1Password to store important credentials, but it is unclear how many of these use macOS devices. Windows users are not affected by this vulnerability.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
A computer being guarded by cybersecurity.
Worrying Windows security issue patched by 7-Zip, so patch now
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
LastPass 2022 hack fallout continues with millions of dollars more reportedly stolen
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
A hand laying out a password
Security attacks on password managers have soared
Latest in Pro
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Squarespace
Build a website for less with 10% off Squarespace subscriptions
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all