Skip to main content
XIII
March 22, 2024
Question

(How) Does GoFetch affect 1Password?

  • March 22, 2024
  • 4 replies
  • 729 views

(How) Does the (Apple Silicon) M1/M2(/M3?) GoFetch vulnerability affect 1Password?

https://gofetch.fail

4 replies

Qutrit
March 23, 2024

Also interested in knowing the answer to this

March 23, 2024

Hi,

I would like to understand what are the risks and possible implications regarding 1Password running on vulnerable Apple chips (M1, M2 and M3).

For reference:

https://www.theregister.com/2024/03/22/hardwarelevel_apple_silicon_vulnerability_can/

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

Thanks,
Diego


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

XIII
XIIIAuthor
March 23, 2024
1P_Dave
1Password Employee
March 25, 2024

Hello folks,

Thank you for raising this. At this time, we are not aware that 1Password is generally impacted by the new vulnerabilities uncovered by the GoFetch research against Apple's ARM64/Apple Silicon CPUs. This vulnerability requires that an attacker is able to run code locally on the same system as 1Password and requires that malicious software could present 1Password with data to perform cryptographic operations on:

The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts.

1Password's clients don't accept arbitrary input from other applications on the system by default. For users of the SSH agent feature, an attacker who can trick a 1Password user into authorizing a terminal tab or application with an illegitimate application attempting to exploit GoFetch may be able to have 1Password silently perform enough cryptographic operations using a private key inside of their vault to leak data via side channels. To help protect against this occurring, make sure that you recognize and trust the applications (and the paths of those applications) requesting to use your SSH keys in authorization prompts.

-Dave