Password transfer from email to survey form

Brian987

Just bought some shoes from Rieker online. They emailed me imviting me to fill out a survey on my purchase. I'm doing this on my Ipad.
On their email, I "copy" the product code, select the "take survey" option, and the form opens in Safari. I "paste" the product code in the title box, but..........
Instead of the product code appearing (an 8-digit numeric code) I see to my amazement, and shock, one of my passwords stored in your app (which I have been happily using for quite a while). The password appeared in clear text. This one is 12 characters, a mix of upper and lower case, plus numbers and other characters, all quite random. It is used in only one of the 72 entries I currently hold in this app.
I find this deeply concerning, as you can imagine.
I've erased the password, and repeated the copy-and-paste routine, and it worked properly.
I have completed and submitted my review to Rieker.
Finally, I tried again to reproduce what happened, but the tab on the Rieker email now tells me "you have already submitted a review"!
Please can you help/advise?
Many thanks
Brian M Barber

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Password transfer from email to survey form

Ben

Hi @Brian987

Could you please check in the Settings app under Passwords & Accounts > AutoFill Passwords to see if you have iCloud Keychain enabled? If you do please disable it.

Thanks.

Ben

Brian987

Hi Ben, Thanks for getting back to me. I think you must be talking about a more modern Ipad than ours are. Mine is an original, about 6 years old. It doesn't have the selections you refer to in "Settings". However, my wife's Ipad Air (first version) does have something similar; not "Autofill Passwords" but I found my way to iCloud Keychain, and it was already disabled. In fact, the acces to the Cloud has never been enabled. It could have been relevant to my experience, as both our Ipads are registered to the same two email addresses, but it seems that the explanation for my symptoms must lie elsewhere.
Any other thoughts?
Thanks,
Brian

Ben

Brian,

Thanks for the additional information. There are three ways that 1Password can interact with web pages:

• Password AutoFill: This is a feature of iOS 12 that we have integration with. When enabled (disabled by default) 1Password provides credentials to web pages through Apple's Password AutoFill API. Use 1Password to fill and save on your iPhone and iPad

• The 1Password extension: This extension is accessed through the iOS "Share" sheet (
  ). Use the 1Password extension to fill in Safari and apps on your iPhone and iPad

• 1Browser: The browser built-into 1Password. This is the only option on iOS for "Go & Fill" where tapping on a URL will take you to the specified page and fill in the corresponding credentials

So, a few questions that I would have:

• Were you using any of the above mentioned features at the time this happened?
• Did the password that you saw on the Rieker web page match a Login item that you have saved for Rieker? If not, does the Login item that password is associated with have an appropriate website field specified on it?

1Password only fills Login items where the URL in the website field matches the URL of the page you're currently viewing. If you were not using any of the above features and do not have a Login item with that password on it that has a website field that matches the page you were on then I'm struggling to figure how what you saw could be associated with 1Password.

Please let us know.

Ben

Brian987

Hi Ben,
Sorry for the delay; I'm still getting used to finding this Forum page to see if you have sent a reply.
To answer your questions:
No, I wasn't using any of the three features.
No, the password that I saw on the Rieker survey page is unique to the one, financial account where it is stored. I have not entered a web address for any of the logins (now there are 73), as I keep a separate register of the ones I use frequently; on my Ipad they are stored as Bookmarks ( this includes the financial website in question, but not the Rieker website).
I can see this is difficult, and I am completely baffled and disturbed. I fondly imagined I had created a really secure password. I only ever transfer it by copying the unrevealed password, and pasting it into the 'log in' page of the financial website. And suddenly, there it is in full view!
I do hope you may find a solution.
Best wishes
Brian

Ben

@Brian987

You mentioned that this happened while attempting to paste... in speaking with one of my colleagues I was reminded of a feature that may explain what you saw. 1Password for iOS has a feature where if you copy the username from a record and then at some point switch back to 1Password it copies the password from that record automatically. Does that possibly explain the behavior you saw?

Ben

Brian987

Hi Ben,
I don't think so, although its an interesting idea.
I should explain that the financial website whose password was "lifted" was Fidelity. The survey form was an attachment to an email from Rieker. The number I was trying to copy and paste was the product code in the email for the shoes I had bought, and nothing to do with any record in 1password; I haven't even made a record of the Rieker account, and there was no requirement to supply a user name in order to complete the survey. I can't really seehow there could have been any connection from and email from Rieker with a password in the Fidelity record.
Somewhere there must be an explanation?!!
Best wishes
Brian

AGKyle

Hi @Brian987

Ben asked me to jump in here. I'm on both our iOS team and our security team.

First I want to say it's unlikely we find any definitive way to explain this since we don't keep a record of any of this in the logs for 1Password. So we can't reference anything to indicate what may have been done. Best I can do is offer up the ways that items can be copied to the clipboard.

There are only 5 ways that I can think of that causes anything to be in the iOS clipboard, as related to 1Password:

1. You explicitly tap a field and select copy (I'm going to call this "explicit copy," it falls under tapping on a field, swiping to copy, and other selection of an explicit copy button)
2. You tap a field as part of an item in the Favorites screen. Then you can leave 1Password and come back and within a certain time frame it'll copy additional fields to make copying successive fields easier. So the first field is explicit but subsequent fields are automatic upon launching.
3. Generating a new password will also copy to the clipboard, as will saving a new item
4. If Universal Clipboard is enabled and you copy from another app you may end up with that clipboard being available on other devices.
5. TOTP codes can be copied automatically as part of Password AutoFill. This isn't a password, but it's another thing that we can automatically copy so I'm listing it here.

All of our copying goes through the same method so looking at the code these are the only ways I'm seeing that it can happen.

If you goto settings > security can you check whether "Clear Clipboard" is enabled? If not, any of the above is likely. If it is enabled I think it's far more likely it was Universal Clipboard.

If you can provide exact steps to recreate it in some other way that would be a lot better as I can take a look at that specifically. But really, under the above information, you'd only have a small number of potential avenues of it possibly appearing in the clipboard unexpectedly.

Hope that gives you some additional information and maybe some theories on what might have happened.