Forum Discussion
Why closing discussions without any effort to make your product better?
Hello folks,
Thank you for raising this. At this time, we are not aware that 1Password is generally impacted by the new vulnerabilities uncovered by the GoFetch research against Apple's ARM64/Apple Silicon CPUs. This vulnerability requires that an attacker is able to run code locally on the same system as 1Password and requires that malicious software could present 1Password with data to perform cryptographic operations on:
The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts.
1Password's clients don't accept arbitrary input from other applications on the system by default. For users of the SSH agent feature, an attacker who can trick a 1Password user into authorizing a terminal tab or application with an illegitimate application attempting to exploit GoFetch may be able to have 1Password silently perform enough cryptographic operations using a private key inside of their vault to leak data via side channels. To help protect against this occurring, make sure that you recognize and trust the applications (and the paths of those applications) requesting to use your SSH keys in authorization prompts.
-Dave