1Password CLI Vulnerability
7 hours ago
- #vulnerability
- #1password
- #security
- Reported vulnerability in 1Password's CLI tool (op) in October 2023.
- Vulnerability allows unauthorized access to vaults after initial unlock.
- Two attack paths identified: IDE extensions and malicious npm packages.
- Proof of concept demonstrates exfiltration of vault data.
- 1Password authorized public disclosure via BugCrowd in January 2024.
- Recommendations include avoiding CLI use and disabling CLI integration.
- Suggests 1Password implement vault access limitations or per-process prompts.