Password transfer from email to survey form
Just bought some shoes from Rieker online. They emailed me imviting me to fill out a survey on my purchase. I'm doing this on my Ipad.
On their email, I "copy" the product code, select the "take survey" option, and the form opens in Safari. I "paste" the product code in the title box, but..........
Instead of the product code appearing (an 8-digit numeric code) I see to my amazement, and shock, one of my passwords stored in your app (which I have been happily using for quite a while). The password appeared in clear text. This one is 12 characters, a mix of upper and lower case, plus numbers and other characters, all quite random. It is used in only one of the 72 entries I currently hold in this app.
I find this deeply concerning, as you can imagine.
I've erased the password, and repeated the copy-and-paste routine, and it worked properly.
I have completed and submitted my review to Rieker.
Finally, I tried again to reproduce what happened, but the tab on the Rieker email now tells me "you have already submitted a review"!
Please can you help/advise?
Many thanks
Brian M Barber
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Password transfer from email to survey form
Comments
Team Member
Hi @Brian987
Could you please check in the Settings app under
Passwords & Accounts > AutoFill Passwordsto see if you have iCloud Keychain enabled? If you do please disable it.Thanks.
Ben
Hi Ben, Thanks for getting back to me. I think you must be talking about a more modern Ipad than ours are. Mine is an original, about 6 years old. It doesn't have the selections you refer to in "Settings". However, my wife's Ipad Air (first version) does have something similar; not "Autofill Passwords" but I found my way to iCloud Keychain, and it was already disabled. In fact, the acces to the Cloud has never been enabled. It could have been relevant to my experience, as both our Ipads are registered to the same two email addresses, but it seems that the explanation for my symptoms must lie elsewhere.
Any other thoughts?
Thanks,
Brian
Team Member
Brian,
Thanks for the additional information. There are three ways that 1Password can interact with web pages:
The 1Password extension: This extension is accessed through the iOS "Share" sheet (
). Use the 1Password extension to fill in Safari and apps on your iPhone and iPad
1Browser: The browser built-into 1Password. This is the only option on iOS for "Go & Fill" where tapping on a URL will take you to the specified page and fill in the corresponding credentials
So, a few questions that I would have:
websitefield specified on it?1Password only fills Login items where the URL in the
websitefield matches the URL of the page you're currently viewing. If you were not using any of the above features and do not have a Login item with that password on it that has a website field that matches the page you were on then I'm struggling to figure how what you saw could be associated with 1Password.Please let us know.
Ben
Hi Ben,
Sorry for the delay; I'm still getting used to finding this Forum page to see if you have sent a reply.
To answer your questions:
No, I wasn't using any of the three features.
No, the password that I saw on the Rieker survey page is unique to the one, financial account where it is stored. I have not entered a web address for any of the logins (now there are 73), as I keep a separate register of the ones I use frequently; on my Ipad they are stored as Bookmarks ( this includes the financial website in question, but not the Rieker website).
I can see this is difficult, and I am completely baffled and disturbed. I fondly imagined I had created a really secure password. I only ever transfer it by copying the unrevealed password, and pasting it into the 'log in' page of the financial website. And suddenly, there it is in full view!
I do hope you may find a solution.
Best wishes
Brian
Team Member
@Brian987
You mentioned that this happened while attempting to paste... in speaking with one of my colleagues I was reminded of a feature that may explain what you saw. 1Password for iOS has a feature where if you copy the username from a record and then at some point switch back to 1Password it copies the password from that record automatically. Does that possibly explain the behavior you saw?
Ben
Hi Ben,
I don't think so, although its an interesting idea.
I should explain that the financial website whose password was "lifted" was Fidelity. The survey form was an attachment to an email from Rieker. The number I was trying to copy and paste was the product code in the email for the shoes I had bought, and nothing to do with any record in 1password; I haven't even made a record of the Rieker account, and there was no requirement to supply a user name in order to complete the survey. I can't really seehow there could have been any connection from and email from Rieker with a password in the Fidelity record.
Somewhere there must be an explanation?!!
Best wishes
Brian
Team Member
Hi @Brian987
Ben asked me to jump in here. I'm on both our iOS team and our security team.
First I want to say it's unlikely we find any definitive way to explain this since we don't keep a record of any of this in the logs for 1Password. So we can't reference anything to indicate what may have been done. Best I can do is offer up the ways that items can be copied to the clipboard.
There are only 5 ways that I can think of that causes anything to be in the iOS clipboard, as related to 1Password:
All of our copying goes through the same method so looking at the code these are the only ways I'm seeing that it can happen.
If you goto settings > security can you check whether "Clear Clipboard" is enabled? If not, any of the above is likely. If it is enabled I think it's far more likely it was Universal Clipboard.
If you can provide exact steps to recreate it in some other way that would be a lot better as I can take a look at that specifically. But really, under the above information, you'd only have a small number of potential avenues of it possibly appearing in the clipboard unexpectedly.
Hope that gives you some additional information and maybe some theories on what might have happened.
Hi AGKyle,
Thanks for your comments. I am afraid you are rather bamboozling me, as I am not a computer expert, and am not aware (for example) of there being a clipboard (or universal clipboard) within my Ipad's facilities; I certainly haven't consciously used it!
I have checked all 3 of our Ipads (one bought only last year), and cannot find a "security" option under "Settings"; I have looked further under "General" etc, but it seems that you might be referring to something other than what we have? So, I can't comment on "Clear Clipboard".
All in all, I can see that between you, you have tried to advance theories to explain the cause of what I experienced, but have not been able to come up with a solution.
I think I have explained clearly the steps I followed which resulted in a password stored in your App being displayed in "clear" in the field of a shoe supplier's survey form; this from a selection I made by 'copying' a product code displayed in the supplier's email and 'pasting' it into the field in Safari. I can add more detail to this if it is not clear in any respect. What is not in doubt (I think) is that it should not have happened! As I said in one of my earlier posts, I tried to recreate the error, but was not able to.
I feel it is now down to 1password team to find the glitch that must exist in your software, and eliminate it. Otherwise, I am inevitably left with a feeling of insecurity.
Sorry to be blunt, but I can't really say more.
Best wishes
Brian
Team Member
There is, it may be on by default, and could easily be used unintentionally:
Use Universal Clipboard to copy and paste between your Apple devices - Apple Support
The setting Kyle was referring to is within the 1Password app. You'll find the settings tab at the bottom of the 1Password screen when 1Password is unlocked.
The best explanation I can offer is that it seems what you thought was on the clipboard either was not, or was overwritten, and so when you pasted it what was actually on the clipboard at that time was pasted.
I'm sorry but I don't believe I can agree that what you've described necessarily indicates a 'glitch' in 1Password. I haven't seen any evidence of that. As you indicated above it doesn't appear 1Password was even running when this happened ("No, I wasn't using any of the three features."). Certainly if it could be shown that there was a problem where 1Password was somehow filling when it shouldn't be that would be an issue we would take seriously. We haven't been able to reproduce the problem you've described based on the information we've been provided. I haven't found any way to make what you've described happen other than through the scenario I offered above regarding the clipboard contents.
Likewise. Without anything more concrete here there isn't anything more I can add. We've outlined all of the conditions under which 1Password fills items, and under what conditions a password from 1Password could end up on the clipboard. I'm not sure what beyond that you're looking for from us at this point.
Ben