(How) Does GoFetch affect 1Password?

Hello folks,

Thank you for raising this. At this time, we are not aware that 1Password is generally impacted by the new vulnerabilities uncovered by the GoFetch research against Apple's ARM64/Apple Silicon CPUs. This vulnerability requires that an attacker is able to run code locally on the same system as 1Password and requires that malicious software could present 1Password with data to perform cryptographic operations on:

The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts.

1Password's clients don't accept arbitrary input from other applications on the system by default. For users of the SSH agent feature, an attacker who can trick a 1Password user into authorizing a terminal tab or application with an illegitimate application attempting to exploit GoFetch may be able to have 1Password silently perform enough cryptographic operations using a private key inside of their vault to leak data via side channels. To help protect against this occurring, make sure that you recognize and trust the applications (and the paths of those applications) requesting to use your SSH keys in authorization prompts.

-Dave

Already asked here: https://1password.community/discussion/145013/how-does-gofetch-affect-1password

Unfortunately, no answer yet.

Hi,

I would like to understand what are the risks and possible implications regarding 1Password running on vulnerable Apple chips (M1, M2 and M3).

For reference:

https://www.theregister.com/2024/03/22/hardwarelevel_apple_silicon_vulnerability_can/

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

Thanks,
Diego

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Also interested in knowing the answer to this