CVE-2021-41795

Name of the Vulnerable Software and Affected Versions 1Password for Mac versions 7.7.0 through 7.8.x before 7.8.7

Description The Safari app extension bundled with 1Password for Mac is vulnerable to authorization bypass. A malicious web page could read a subset of 1Password vault items, including usernames and passwords for vault items associated with its domain, usernames and passwords without a domain association, credit cards, and contact items, by targeting a vulnerable component of this extension. These items are accessible when 1Password is unlocked, and no further user interaction is required.

Recommendations For 1Password for Mac versions 7.7.0 through 7.8.x before 7.8.7, update to version 7.8.7 or later to resolve the issue. As a temporary workaround, consider disabling the Safari app extension until a patch is available. Restrict access to sensitive vault items to minimize the risk of exploitation. Avoid using the 1Password extension on untrusted web pages until the issue is resolved.