At 1Password, we’re committed to transparency about our security practices and keeping our customers safe.
At DEF CON 2024, Robinhood, a 1Password customer, presented on vulnerabilities discovered by their Red Team in a prior version of 1Password. We appreciate that Robinhood’s Red Team disclosed and collaborated closely with us to address these vulnerabilities ahead of their talk.
Strong security requires a collective effort from the entire technology ecosystem, and we believe that through active collaboration, the cybersecurity industry can create a more secure digital landscape for everyone.
We addressed the vulnerabilities within our control with the latest updates rolled out in the 8.10.38 client app release. As per industry standard practice, we also submitted the appropriate common vulnerabilities and exposures (CVEs) to the MITRE corporation.
Robinhood’s Red Team found vulnerabilities that can occur only when a device is compromised, by malware for example, and a malicious actor has control over the device as a result. Further, when malware or a malicious user gains control over a user’s device, little can be done to guarantee its security. Resolving these issues has been a top priority, and we will continue to do everything we can to protect our users.
Technical background
Security researchers from Robinhood’s Red Team disclosed that they had discovered six vulnerabilities in 1Password for Mac. All the vulnerabilities are local and require a device to be compromised, by malware for example, and controlled by a bad actor.
We have addressed the issues within our control with the latest updates rolled out in the 8.10.38 client app release, and have not seen any evidence of them occurring in real life.
The one unresolved issue involves how Chromium-based browsers (for example, but not limited to: Chrome, Edge, Brave, etc.) and Firefox manage communication between all browser extensions and all desktop apps. This isn’t an issue unique to 1Password. When malware or a malicious user gains full control of a device, they can essentially take over communication between an app and the browser.
Please see “NMH Binary manipulation through browser process impersonation” in the next section for more information.
For security professionals who would like additional details, we have published two CVEs to provide additional transparency and an overview of the issues below.
Vulnerability details
Biometric enforcement flag missing (CVE-2024-42218)
Issue: There is an issue that affects 1Password’s platform security protections in 1Password 8 for Mac. This issue enables attackers to use out-of-date versions of the 1Password 8 for Mac app to bypass platform-specific security mechanisms applied on macOS. This could be used to steal secrets from the app.
Resolution: This issue was resolved in 1Password for Mac version 8.10.38 (August 2024). If you’re using an affected version of 1Password 8 for Mac, update to the latest version.
Browser Help XPC Bypass (CVE-2024-42219)
Issue: There is an issue that affects 1Password’s platform security protections in 1Password 8 for Mac. This issue enables a malicious process running locally on a machine to bypass inter-process communication protections.
This issue is the root cause for two additional issues that were reported by Robinhood:
- XPC authorized CLI session riding
- XPC session type manipulation
Resolution: This issue was resolved in 1Password for Mac version 8.10.36 (July 2024). If you’re using an affected version of 1Password 8 for Mac, update to the latest version.
NMH Binary manipulation through browser process impersonation (originally reported as: Browser Support getppid bypass)
Issue: “Connect with 1Password in the browser” is a feature of 1Password that allows for communication between the 1Password desktop application and browser extensions. The channel between the application and browser extension is subject to spoofing, which could allow a local attacker to pretend to be the browser and communicate with 1Password to obtain user secrets.
Resolution: This issue stems from browser limitations with Chromium-based browsers (for example, but not limited to: Chrome, Edge, Brave, etc.) and the Firefox browser. It can’t be resolved because third-party desktop applications communicating with browsers, including 1Password, are unable to detect if a browser is being controlled by malware, and thus verify the browser authenticity. There is no alternative or more secure technology provided.
For more information about options, please see this support article. The 1Password app and browser extension connection security details can be found in this support article.
Setting file unprotected from unauthorized changes
Issue: 1Password Settings are stored in a JSON file on disk. Lack of protections allowed settings to be changed by updating the JSON file, which required standard user access to the computer. No authentication to 1Password was required to change these settings. As a result, it was possible for 1Password settings to be modified by malicious actors.
Resolution: This issue was fixed in 1Password version 8.10.38 (August 2024) by enforcing additional integrity protections. For more information, see this support article.
We would like to extend our sincere thanks to Robinhood’s Red Team and the company’s cybersecurity team in identifying these issues and partnering with us to address them before their presentation at DEF CON 2024. Please contact us at security@1password.com if you have any questions.
Pedro Canahuati
Chief Technology Officer
Tweet about this post