Major security problem with Facebook and 1Password

I recently decided to update the security and privacy settings on my Facebook account. I noticed a "security question" option, where I had to select a question, enter an answer and my password to save it. I selected my question, entered my answer, and hit Cmd-\ to fill my password. I had auto-submit enabled, and since there is no option to manually "fill only" anymore, 1Password CHANGED MY SECURITY QUESTION ANSWER to my email address, filled my password and submitted the form.

For anyone not familiar with Facebook's policy about the security question, it can NEVER BE CHANGED once set. Thanks to 1Password, the answer to my security question is now and forever set to my email address, which is my Facebook login and has absolutely nothing to do with the question. I'm sure you can appreciate that this is not very secure.

Yes, Facebook's security policy is rediculous to begin with, and they should ask for confirmation and display warnings before saving this change. I had no idea when I was doing this that it was irreversible. However, now thanks to 1Password changing a security question answer I had already filled to my email address and offering no easy way to temporarily disable auto-submit, the whole world has a permanent backdoor into my account.

Comments

  • There is the option to fill only, but you have to use the mouse. You bring up the dialog by clicking on the 1P icon on the toolbar, and click on the header of the section. If it says "Fill and Submit Login", clicking it will change it to "Fill Login". Of course, it would have been easier if you knew this before you had your bad experience, but learning from mistakes is very effective :-).
  • It would be nice if this option was made clearer. Even still, it doesn't change the fact that 1Password replaced a non-username field that I had already provided a value for with it's own incorrect value.
  • khadkhad Social Choreographer

    Team Member
    It looks like Mussau beat me to it, but I did address the matter of disabling autosubmit in the my reply to your other post:

    http://forum.agilebits.com/index.php?/topic/10082-fill-without-submitting/page__view__findpost__p__58115

    You can also toggle autosubmit in the extension's settings which are more obvious perhaps than clicking the header. That is just a shortcut. The settings are much more discoverable.

    20120210-9gnytujfn299ebq4g4uty5uyi.png
    What I am wondering is, if you believed it was impossible to toggle autosubmit, why would you use 1Password to fill and submit such a page?

    I would contact Facebook customer service for this matter. I hope you are able to get the matter resolved to your satisfaction.
This discussion has been closed.