Friend
Professional
- Messages
- 2,671
- Reaction score
- 1,104
- Points
- 113
AgileBits has acknowledged a significant security breach.
AgileBits, the developer of the popular 1Password password manager, has confirmed the existence of a critical security vulnerability that allows attackers to gain access to password storage elements and unlock keys for macOS user accounts.
Vulnerability CVE-2024-42219 (CVSS score: 7.0) allows a malicious process running locally on the device to bypass macOS interprocess protection and exfiltrate 1Password storage elements, as well as obtain the account unlock key and SRP values used to log in to the service. SRP (Secure Remote Password) — one of the security levels that provide access to the 1Password storage.
However, you should not worry too much, because SCR is only part of the multi-level 1Password security system. The service also provides an additional 128-bit secret key, which is created on the user's device and is not known to anyone, including AgileBits employees.
A representative of 1Password noted that the vulnerability was discovered by the Robinhood Red Team security team in full control of the user's device. AgileBits fixed a bug in version 1Password 8.10.38. The company thanked Robinhood Red Team for their cooperation and promised to publish additional details on its blog after the team's speech at the DEFCON conference.
CVE-2024-42219 affects all users of the eighth version of 1Password for macOS who have not yet upgraded to 8.10.36. To successfully exploit it, an attacker must convince the user to run malware on their computer.
AgileBits confirmed that, to the best of its knowledge, the vulnerability has not been discovered or exploited by anyone other than Robinhood Red Team researchers. At least, the company has not yet received any messages proving otherwise.
All users of 1Password for macOS are strongly encouraged to update their apps to the latest version. As noted above, the vulnerability was fixed in version 8.10.36.
Fortunately, 1Password automatically checks for updates five minutes after launch and does so on a daily basis. If the app is unlocked, users will receive a notification about an available update. If the app is blocked, it should update automatically.
Source
AgileBits, the developer of the popular 1Password password manager, has confirmed the existence of a critical security vulnerability that allows attackers to gain access to password storage elements and unlock keys for macOS user accounts.
Vulnerability CVE-2024-42219 (CVSS score: 7.0) allows a malicious process running locally on the device to bypass macOS interprocess protection and exfiltrate 1Password storage elements, as well as obtain the account unlock key and SRP values used to log in to the service. SRP (Secure Remote Password) — one of the security levels that provide access to the 1Password storage.
However, you should not worry too much, because SCR is only part of the multi-level 1Password security system. The service also provides an additional 128-bit secret key, which is created on the user's device and is not known to anyone, including AgileBits employees.
A representative of 1Password noted that the vulnerability was discovered by the Robinhood Red Team security team in full control of the user's device. AgileBits fixed a bug in version 1Password 8.10.38. The company thanked Robinhood Red Team for their cooperation and promised to publish additional details on its blog after the team's speech at the DEFCON conference.
CVE-2024-42219 affects all users of the eighth version of 1Password for macOS who have not yet upgraded to 8.10.36. To successfully exploit it, an attacker must convince the user to run malware on their computer.
AgileBits confirmed that, to the best of its knowledge, the vulnerability has not been discovered or exploited by anyone other than Robinhood Red Team researchers. At least, the company has not yet received any messages proving otherwise.
All users of 1Password for macOS are strongly encouraged to update their apps to the latest version. As noted above, the vulnerability was fixed in version 8.10.36.
Fortunately, 1Password automatically checks for updates five minutes after launch and does so on a daily basis. If the app is unlocked, users will receive a notification about an available update. If the app is blocked, it should update automatically.
Source
