(How) Does GoFetch affect 1Password?
(How) Does the (Apple Silicon) M1/M2(/M3?) GoFetch vulnerability affect 1Password?
Comments
-
Also interested in knowing the answer to this
0 -
Hi,
I would like to understand what are the risks and possible implications regarding 1Password running on vulnerable Apple chips (M1, M2 and M3).
For reference:
https://www.theregister.com/2024/03/22/hardwarelevel_apple_silicon_vulnerability_can/
Thanks,
Diego1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided0 -
Already asked here: https://1password.community/discussion/145013/how-does-gofetch-affect-1password
Unfortunately, no answer yet.
0 -
Hello folks,
Thank you for raising this. At this time, we are not aware that 1Password is generally impacted by the new vulnerabilities uncovered by the GoFetch research against Apple's ARM64/Apple Silicon CPUs. This vulnerability requires that an attacker is able to run code locally on the same system as 1Password and requires that malicious software could present 1Password with data to perform cryptographic operations on:
The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts.
1Password's clients don't accept arbitrary input from other applications on the system by default. For users of the SSH agent feature, an attacker who can trick a 1Password user into authorizing a terminal tab or application with an illegitimate application attempting to exploit GoFetch may be able to have 1Password silently perform enough cryptographic operations using a private key inside of their vault to leak data via side channels. To help protect against this occurring, make sure that you recognize and trust the applications (and the paths of those applications) requesting to use your SSH keys in authorization prompts.
-Dave
1
