Password manager 1Password patched a flaw in the Mac version of its software that could have allowed an attacker to steal vault data, according to a disclosure made on Aug. 6. The vulnerability could only be exploited if the attacker tricked the user into installing malware. Some crypto users rely on 1Password to store backup copies of wallet seed words, private keys, or exchange passwords.
According to the disclosure, the vulnerability could have allowed an attacker “to misuse missing macOS specific inter-process validations to hijack or impersonate a trusted 1Password integration such as the 1Password browser extension or CLI [command line interface],” which would have allowed the attacker “to exfiltrate vault items.”
The vulnerability was discovered by the Robinhood Red team. It was patched in version 8.10.36, and 1Password is encouraging users to upgrade to the latest version to protect themselves from this attack vector.
Jameson Lopp, co-founder of Bitcoin wallet provider Casa, disclosed the issue to his followers on Aug. 8 in an attempt to raise awareness. “If you use 1Password on Mac, update ASAP,” Lopp stated.
According to Apple developer documents, MacOS versions 10.0 and above contain a “hardened runtime” feature that developers can optionally use to prevent certain kinds of attacks, including “code injection, dynamically linked library (DLL) hijacking, and process memory space tampering.” In its disclosure, 1Password stated that it attempts to use this feature to prevent “certain local attacks from being possible” against its users.
However, because earlier versions of 1Password lacked some of the inter-process validations required to make this feature work, an attacker could bypass the hardened runtime protections and carry out local attacks. This could potentially allow an attacker to exfiltrate “the account unlock key and ‘SRP-𝑥.’”
According to 1Password documents, the “SRP-x” is a variable used as part of the software’s secure remote password system, which is one of the pieces of data needed to access the user’s vault data. The account unlock key or account password is another piece of data needed for this purpose.
Neither the Robinhood Red researchers nor the 1Password team found any evidence that the vulnerability was actually used by an attacker. For an attack to be executed, the malware developer would have needed to write a program specifically targeting 1Password for MacOs and they would have needed to trick the user into downloading and running the program.
The latest version of 1Password has eliminated the vulnerability. However, users should check their 1Password version to ensure it is not earlier than 8.10.36.
Related: The ultimate guide to password management for crypto enthusiasts
Storing seed words or private keys on a password manager can be risky. In December 2022, password manager LastPass revealed that its servers had been breached and some customers’ encrypted vaults had been stolen. In the following month, a Bitcoin user filed a lawsuit against LastPass, claiming that over $53,000 of his Bitcoin had been stolen as a result of the breach. According to the filing, the plaintiff had stored his Bitcoin seed phrase inside of a LastPass vault, which was stolen and decrypted by the attacker, allowing the attacker to drain his Bitcoin account.
Magazine: How crypto bots are ruining crypto — including auto memecoin rug pulls