Quick and easy update.
Thanks for the heads up. Download and install of the update was painless and took less than 30 seconds.
There was a note upon relaunch that some settings were reset to default; I guess this was also precautionary.
Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items. 1Password Vaults are essentially mini password managers inside the main app itself. They allow users to separate passwords used for different purposes, like personal …
I read 1Password Release notes pretty religiously and 1Password never mentioned this CVE (nor any security vuln fix) in the 8.10.36 patch notes. Luckily, I'd already updated.
https://releases.1password.com/mac/8.10/#changelog
Critical security patches should always be mentioned in release notes: it gives users a heads up & pushes them update other devices. Not a good look as a security-focused company.
If is on the first line of the 8.10.36 release notes. 8.10.38 has CVE 2024-42218. Both 42218 and 42219 come from Robinhood's Red Team and seem to be similar issues.
July 9 2024
1Password for Mac 8.10.36
This release contains an important security update related to CVE-2024-42219. Please see the accompanying security advisory
and
August 6 2024
1Password for Mac 8.10.38
This release contains an important security update related to CVE-2024-42218. Please see the accompanying security advisory
"In September 2023, 1Password surpasses $250 million in annual recurring revenue where more than two-thirds of its revenue is generated from more than 100,000 business customers"
very very big and closed source and they are really hot on marketing themselves
conclusion ..... best avoided
Polar opposite .... bitwarden, every one of my customers uses it
All bitwarden code is open source and can be examined by anyone and they also have it regularily vetted by an **outside** source
plus if online vaults ever got leaked.... I've set the bitwarden KDF to Argon2 meaning that vault can never be brute forced open if leaked/stolen ... EVER
unlike the poor sods whose Lastpass vaults got stolen who were neverr automatically upgraded to latest ciphers (another big company this time with private equity behind it .... yuk)
This seems more like a way to F*** over the perpetual license owners...
going back a few years tehy already know this process was leaking and it was not an "issue"
They also admitted the PW were stored encrypted in main memory... after the master pw was entered.
But hte interesting thing is WTF are tehy STILL having the 7.x version in the apple store if they know it is F**ed...
or is that just a "hook" and then a forced upgrade to 8.x
Let's cut to the chase.....
I don't want a bunch of fuckwhits forcing me to store my pw in the cloud and charging me to do it...
nor do i want the same said fuckwhits to be spamming my screen with cloud signups every time I login to a website
Same.....
but don't let the store update your version 6.....
once it's done, the version 6 is strangely DEAD.... and wont run any longer, well it runs but you cannot log in.
Also they seem to have removed the "plugins" from their web site.
so if your V6 needs to reload the plugin into the browser.. strangely they are GONE..... Despite it being a perpetual license you can no longer get copies of the SW. or plugins, even if you have a valid license.
so a lot more is going on with this than just some "randomly found CVE"