Does CVE-2024-42219 affect 1Password 7 for Mac? [See approved response]
Is 1P v7 vulnerable to the "critical" security flaw? Wow!!!!!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
I just read the advisory. It says, "This issue affects all 1Password 8 for Mac versions before 8.10.36 (July 2024)." Is 1P7 also impacted? Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided0 -
Don't be surprised if 1P deletes your post. I linked to a couple sites yesterday and asked a simple question. As as user of 1Pv7, is it vulnerable to the same flaw that allows attackers to steal credentials. I checked this morning to see if 1P answered. My post was deleted. I guess they did not like an embarrassing questions. I see where 1P is hiring. Here's thought, instead of thinking Robinhood’s Red Team, hire entire team.
1 -
@BoomerOz Do you mean this post?
https://1password.community/discussion/147573/critical-security-flawIt was just moved into a more appropriate forum ("Previous versions").
Also, to contribute to the discussion: I too would like to see some sort of emergency newsletter to customers and team/business admins to report on the fixed vulnerability. So that IT can threaten their employees with violence if they do not run the update RIGHT NOW, lol.
1 -
How is there no reply to this?
How is there no email to 1Password users bout this?
How is there no in-App notice regarding this?
My Mac is on the last version of 1Password released through the App Store. I’d like to know the answer also.
2 -
This content has been removed.
-
This content has been removed.
-
This content has been removed.
-
OMG, how on earth they don't even mention if 1Password 7 is vulnerable or not.
1 -
Me too
0 -
This content has been removed.
-
Because "my conversations" seems to be only topics you started. Replying is a comment, as far as the community software is concerned.
1 -
They do now! ☺️
See linked KBs in https://blog.1password.com/august-2024-security-update/
0 -
They updated the support articles and also published a blog detailing vulnerabilities https://blog.1password.com/august-2024-security-update/
0 -
This content has been removed.
-
This content has been removed.
-
Hello everyone,
I've merged a few threads and comments together so that we can keep conversation related to 1Password 7 and CVE-2024-42219 in one place. 1Password 7 for Mac is not affected by this issue.
Some users were not aware that an additional CVE went out earlier in the week, that is CVE-2024-42218. 1Password 7 is also not affected by this issue.
The above CVEs were released earlier in the week in advance of a talk that Robinhood’s Red Team (the researchers who reported the issues) gave at DEF CON on Saturday, August 10. Robinhood’s Red Team found issues that can occur only when a device is compromised, by malware for example, and a malicious actor has control over the device as a result. Further, when malware or a malicious user gains control over a user’s device, little can be done to guarantee its security. For more information about the Robinhood Red Team’s findings, refer to our blog.
In addition to the CVEs we published, there were two additional issues found as part of this research. The reported issues are not unique to 1Password since it’s classified as a “local attack” which means a malicious actor must gain access to an end user’s computer before they could exploit it. The two additional issues do affect 1Password 7:
Originally reported as “Browser Support getppid Bypass” based on how the researchers were able to accomplish the local attack on macOS. Allows a malicious actor to spoof browser communication, potentially exposing user secrets. This impacts 1Password 7 and 8 desktop apps on macOS, Windows, and Linux.
This issue stems from browser limitations with Chromium-based browsers (for example, but not limited to: Chrome, Edge, Brave, etc.) and the Firefox browser. It can’t be resolved because third-party desktop applications communicating with browsers, including 1Password, are unable to detect if a browser is being controlled by malware, and thus verify the browser authenticity. There is no alternative or more secure technology provided.
Settings can be altered without authentication, impacting security configurations. This impacts 1Password 8 desktop apps (macOS, Windows, and Linux) on versions prior to 8.10.38, as well as all versions of 1Password 7. While the technology behind the settings differs slightly between 1Password 8 and 1Password 7 desktop apps, 1Password 7 is also impacted by a similar settings integrity issue.
Since we no longer support non-critical 1Password 7 vulnerabilities, we recommend you look at upgrading to 1Password 8 if local threats are of concern to you.
-Dave
1
