Password manager 1Password patched a CVE in the MacOS app that could have allowed an attacker to steal hack your private data.
In a disclosure, they posted that they recently addressed two critical vulnerabilities affecting its macOS app, identified as CVE-2024-42219 and CVE-2024-42218. These vulnerabilities could potentially allow attackers to bypass security mechanisms and steal sensitive information from users’ vaults.
The CVE is roughly as follows:
CVE-2024-42219: This vulnerability involves a flaw in inter-process communication protections on macOS. It allows a malicious program running locally on a user’s machine to hijack or impersonate trusted 1Password integrations like the browser extension. This could enable attackers to exfiltrate vault items and potentially access sensitive information such as passwords and login credentials.
CVE-2024-42218: This issue affects older versions of the 1Password application for Mac, where attackers could exploit outdated software to bypass macOS-specific security mechanisms. This could lead to unauthorized access to sensitive data stored in the macOS Keychain.
So far, researchers haven't found any evidence that the vulnerability was actually used by an attacker. For an attack to be executed, the malware developer would have needed to write a program specifically targeting 1Password for MacOs, and they would have needed to trick the user into downloading and running the program.