[delusional]

Yep.

This "vulnerability" is actually just a standard warning to not run untrusted software on your machine. In this case the attacker can leverage a commandline program to read your unlocked password vault, but without that he'd still be able to steal any user owned files on your machine and access your bank through your browser to steal your money.

"It rather involved being on the other side of this airtight hatchway."

[psanford]

Yes. It is a nice report that does not engage with 1password's security model at all. 1password specifically says that they do not think it is feasible to defend against locally executing malware.

[dangus]

“Not feasible” except that the author of the article provided a list of relatively low-effort solutions that 1Password could implement to improve the situation.

I’m pretty sure defending against locally executing malware is something that companies like Apple and Microsoft work on daily. The idea that it’s not “feasible” sounds suspiciously lazy.

[krater23]

Especially Apple works on that on the iPhone by scanning every new app and leave the customer only install that one that are signed by Apple itself. And they still fail with it.

[chatmasta]

For those not in the know, the hatchway quote is a reference to Raymond Chen’s 2006 blog post: https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

[GauntletWizard]

Which itself is a Hitchhiker's Guide to the Galaxy reference.