Latest MacOS Keychain Vulnerabilty Discovered

dsjr2006
dsjr2006
Community Member

I haven’t actually looked into the researchers further explanations, but there was this story (https://thehackernews.com/2017/09/macos-high-sierra-keychain.html?m=1) about a newly discovered vulnerability in the MacOS Keychain. I’m wondering if this affects 1Password users who use TouchID on MacBook Pros since the credentials for unlocking 1P are stored in the Keychain in some form. The news clips would suggest the 1P master password could be compromised. Is that correct?

Thanks for all your work team!

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dsjr2006: When you use Touch ID with 1Password, your Master Password is not stored in the Keychain in plaintext. However, it's certainly possible that someone with access to your Keychain (whether thanks to a vulnerability or because you're sharing a user account) could capture the obfuscated secret which is stored there, decipher it, and potentially use it to access your data. So I'd definitely recommend keeping that in mind until Apple is able to patch this (which I'd bet is high on their priority list), and also any time you install 3rd party software or allow someone else access to your system. After all, it's likely that other vulnerabilities will be found in the future, and giving anyone a foothold is risky regardless.

  • dsjr2006
    dsjr2006
    Community Member

    That answers my question. Thanks for the quick response!

  • AGAlumB
    AGAlumB
    1Password Alumni

    You're totally welcome! We're here if you have any others. Always good to stay ahead of this stuff where we can. :)

This discussion has been closed.