back to article Using 1Password on Mac? Patch up if you don’t want your Vaults raided

Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items. 1Password Vaults are essentially mini password managers inside the main app itself. They allow users to separate passwords used for different purposes, like personal …

  1. Anonymous Coward
    Anonymous Coward

    Quick and easy update.

    Thanks for the heads up. Download and install of the update was painless and took less than 30 seconds.

    There was a note upon relaunch that some settings were reset to default; I guess this was also precautionary.

    1. big_D

      Re: Quick and easy update.

      Yeah, mine updated yesterday morning, but got a heads up as to why from Davey Winder on X later in the day.

    2. philstubbington

      Re: Quick and easy update.

      Same here - all very straightforward. Panic over before it began ;)

    3. yaronf

      Re: Quick and easy update.

      Also, even if you're already on 8.10.36, you'd better update to latest. The next 2 releases are also security-related.

  2. Anonymous Coward
    Anonymous Coward

    Does this also apply to 1Password 7?

    Any "versions before 8.10.36" would suggest 1Password 7 is also affected. I would just like to prevent upgrading from 7 to 8 if I can.

    1. anothercynic Silver badge

      Re: Does this also apply to 1Password 7?

      Same! :-(

      1. aaaashy

        Re: Does this also apply to 1Password 7?

        Same :-(

    2. Gazmeister

      Re: Does this also apply to 1Password 7?

      No, luckily it’s just 1Password 8..

      From the 1password site https://support.1password.com/kb/202408/

      “This issue affects all 1Password 8 for Mac versions before 8.10.38 (August 2024).”

  3. zipityzi

    Why aren't CVEs noted in1P release notes?

    I read 1Password Release notes pretty religiously and 1Password never mentioned this CVE (nor any security vuln fix) in the 8.10.36 patch notes. Luckily, I'd already updated.

    https://releases.1password.com/mac/8.10/#changelog

    Critical security patches should always be mentioned in release notes: it gives users a heads up & pushes them update other devices. Not a good look as a security-focused company.

    1. benderama

      Re: Why aren't CVEs noted in1P release notes?

      If “the threats” don’t know what is being fixed in the new release, they don’t know what to target for users on older versions. And they won’t know what to probe to see if the new version is truly fixed.

      In theory. I dunno. I use post-its

      1. Anonymous Coward
        Anonymous Coward

        Re: Why aren't CVEs noted in1P release notes?

        Post-it notes are vulnerable to camera attacks? ;-)

        1. Fred Flintstone Gold badge

          Re: Why aren't CVEs noted in1P release notes?

          Only if you write on the front :)

    2. big_D

      Re: Why aren't CVEs noted in1P release notes?

      If is on the first line of the 8.10.36 release notes. 8.10.38 has CVE 2024-42218. Both 42218 and 42219 come from Robinhood's Red Team and seem to be similar issues.

      July 9 2024

      1Password for Mac 8.10.36

      This release contains an important security update related to CVE-2024-42219. Please see the accompanying security advisory

      and

      August 6 2024

      1Password for Mac 8.10.38

      This release contains an important security update related to CVE-2024-42218. Please see the accompanying security advisory

    3. Tom 38

      Re: Why aren't CVEs noted in1P release notes?

      Obviously not that religiously to miss the two CVE vulnerabilities listed on the page you linked to.

  4. Joe Gurman

    Ugh.

    I had resisted upgrading from 7 to 8 on macOS because of AgileBits' development environment and "all cloud storage" decisions. Now I'm forced to introduce a less secure password manager as a backup for iCloud password management. Blah.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ugh.

      Maybe try heylogin?

      I rather like their approach, but I'm still testing right now. Switching isn't overly cumbersome as you can export and import from other platforms but it does work differently.

  5. harrys

    "In September 2023, 1Password surpasses $250 million in annual recurring revenue where more than two-thirds of its revenue is generated from more than 100,000 business customers"

    very very big and closed source and they are really hot on marketing themselves

    conclusion ..... best avoided

    Polar opposite .... bitwarden, every one of my customers uses it

    All bitwarden code is open source and can be examined by anyone and they also have it regularily vetted by an **outside** source

    plus if online vaults ever got leaked.... I've set the bitwarden KDF to Argon2 meaning that vault can never be brute forced open if leaked/stolen ... EVER

    unlike the poor sods whose Lastpass vaults got stolen who were neverr automatically upgraded to latest ciphers (another big company this time with private equity behind it .... yuk)

    1. hokum

      I feel like 1Password vaults are pretty safe if leaked because they use a lengthy randomised secret key alongside the master password. Unless you possess both the password and key you prob ain't gettin in.

    2. pc-fluesterer.info
      Thumb Up

      Full ACK.

      I completely second that. I for one would NEVER give my credentials to a Closed-Source product, for various reasons.

      Only way is FOSS. In terms of PW managers that is - depending on taste - keepass (and derivatives) or Bitwarden. Full stop.

  6. razorfishsl

    This seems more like a way to F*** over the perpetual license owners...

    going back a few years tehy already know this process was leaking and it was not an "issue"

    They also admitted the PW were stored encrypted in main memory... after the master pw was entered.

    But hte interesting thing is WTF are tehy STILL having the 7.x version in the apple store if they know it is F**ed...

    or is that just a "hook" and then a forced upgrade to 8.x

    Let's cut to the chase.....

    I don't want a bunch of fuckwhits forcing me to store my pw in the cloud and charging me to do it...

    nor do i want the same said fuckwhits to be spamming my screen with cloud signups every time I login to a website

  7. Dizzy Dwarf

    it's all cool here

    I've got falcon-sensor installed. Um...

  8. Hat trick swayze

    Avoid cloud services

    I still run 1Password 6 on my Mac and version 7 on my iPhone for this reason. My passwords are only stored on those two places. I sync them regularly.

    1. razorfishsl

      Re: Avoid cloud services

      Same.....

      but don't let the store update your version 6.....

      once it's done, the version 6 is strangely DEAD.... and wont run any longer, well it runs but you cannot log in.

      Also they seem to have removed the "plugins" from their web site.

      so if your V6 needs to reload the plugin into the browser.. strangely they are GONE..... Despite it being a perpetual license you can no longer get copies of the SW. or plugins, even if you have a valid license.

      so a lot more is going on with this than just some "randomly found CVE"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like