Just bought some shoes from Rieker online. They emailed me imviting me to fill out a survey on my purchase. I'm doing this on my Ipad.
On their email, I "copy" the product code, select the "take survey" option, and the form opens in Safari. I "paste" the product code in the title box, but..........
Instead of the product code appearing (an 8-digit numeric code) I see to my amazement, and shock, one of my passwords stored in your app (which I have been happily using for quite a while). The password appeared in clear text. This one is 12 characters, a mix of upper and lower case, plus numbers and other characters, all quite random. It is used in only one of the 72 entries I currently hold in this app.
I find this deeply concerning, as you can imagine.
I've erased the password, and repeated the copy-and-paste routine, and it worked properly.
I have completed and submitted my review to Rieker.
Finally, I tried again to reproduce what happened, but the tab on the Rieker email now tells me "you have already submitted a review"!
Please can you help/advise?
Many thanks
Brian M Barber
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Password transfer from email to survey form
Comments
Team Member
Hi @Brian987
Could you please check in the Settings app under
Passwords & Accounts > AutoFill Passwords
to see if you have iCloud Keychain enabled? If you do please disable it.Thanks.
Ben
Hi Ben, Thanks for getting back to me. I think you must be talking about a more modern Ipad than ours are. Mine is an original, about 6 years old. It doesn't have the selections you refer to in "Settings". However, my wife's Ipad Air (first version) does have something similar; not "Autofill Passwords" but I found my way to iCloud Keychain, and it was already disabled. In fact, the acces to the Cloud has never been enabled. It could have been relevant to my experience, as both our Ipads are registered to the same two email addresses, but it seems that the explanation for my symptoms must lie elsewhere.
Any other thoughts?
Thanks,
Brian
Team Member
Brian,
Thanks for the additional information. There are three ways that 1Password can interact with web pages:
The 1Password extension: This extension is accessed through the iOS "Share" sheet (
). Use the 1Password extension to fill in Safari and apps on your iPhone and iPad
1Browser: The browser built-into 1Password. This is the only option on iOS for "Go & Fill" where tapping on a URL will take you to the specified page and fill in the corresponding credentials
So, a few questions that I would have:
website
field specified on it?1Password only fills Login items where the URL in the
website
field matches the URL of the page you're currently viewing. If you were not using any of the above features and do not have a Login item with that password on it that has a website field that matches the page you were on then I'm struggling to figure how what you saw could be associated with 1Password.Please let us know.
Ben
Hi Ben,
Sorry for the delay; I'm still getting used to finding this Forum page to see if you have sent a reply.
To answer your questions:
No, I wasn't using any of the three features.
No, the password that I saw on the Rieker survey page is unique to the one, financial account where it is stored. I have not entered a web address for any of the logins (now there are 73), as I keep a separate register of the ones I use frequently; on my Ipad they are stored as Bookmarks ( this includes the financial website in question, but not the Rieker website).
I can see this is difficult, and I am completely baffled and disturbed. I fondly imagined I had created a really secure password. I only ever transfer it by copying the unrevealed password, and pasting it into the 'log in' page of the financial website. And suddenly, there it is in full view!
I do hope you may find a solution.
Best wishes
Brian
Team Member
@Brian987
You mentioned that this happened while attempting to paste... in speaking with one of my colleagues I was reminded of a feature that may explain what you saw. 1Password for iOS has a feature where if you copy the username from a record and then at some point switch back to 1Password it copies the password from that record automatically. Does that possibly explain the behavior you saw?
Ben
Hi Ben,
I don't think so, although its an interesting idea.
I should explain that the financial website whose password was "lifted" was Fidelity. The survey form was an attachment to an email from Rieker. The number I was trying to copy and paste was the product code in the email for the shoes I had bought, and nothing to do with any record in 1password; I haven't even made a record of the Rieker account, and there was no requirement to supply a user name in order to complete the survey. I can't really seehow there could have been any connection from and email from Rieker with a password in the Fidelity record.
Somewhere there must be an explanation?!!
Best wishes
Brian
Team Member
Hi @Brian987
Ben asked me to jump in here. I'm on both our iOS team and our security team.
First I want to say it's unlikely we find any definitive way to explain this since we don't keep a record of any of this in the logs for 1Password. So we can't reference anything to indicate what may have been done. Best I can do is offer up the ways that items can be copied to the clipboard.
There are only 5 ways that I can think of that causes anything to be in the iOS clipboard, as related to 1Password:
All of our copying goes through the same method so looking at the code these are the only ways I'm seeing that it can happen.
If you goto settings > security can you check whether "Clear Clipboard" is enabled? If not, any of the above is likely. If it is enabled I think it's far more likely it was Universal Clipboard.
If you can provide exact steps to recreate it in some other way that would be a lot better as I can take a look at that specifically. But really, under the above information, you'd only have a small number of potential avenues of it possibly appearing in the clipboard unexpectedly.
Hope that gives you some additional information and maybe some theories on what might have happened.