1Password users on Mac need to update urgently: attackers could access vaults

Popular password manager 1Password has patched a high-severity vulnerability that allows attackers to target Mac users and access sensitive secrets. The issue, tracked as CVE-2024-42219, affects all 1Password [8] for Mac versions before version 8.10.36, released in July 2024. … The vulnerability allows attackers to use malicious software and exfiltrate vault items, which basically means stealing passwords, credit cards, and other sensitive information stored in 1Password. Attackers can also obtain an account unlock key and a special code for signing into the application.

CVE-2024-42219 for 1Password 8 for Mac

If you’re using an affected version of 1Password for Mac, update to the latest version. … An attacker is able to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI. This would permit the malicious software to exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and “SRP-??”.