Browser Extension Bug: filling hidden/disabled form fields with username

It is fairly easy for the browser extension to find possible password fields due to them being a password type, however in general it seems to fill ALL text fields with the username hoping to get the right one if the expected field name isn't there.

Many websites seems to change or use random naming for their form fields.

I am on 1password 3 still and haven't bothered to use my free upgrade to 4 yet. I don't know if there are new browser extensions for 4 or not, so this applies to 1password 3 on mac specifically in chrome (haven't tested with other browsers yet).

When there is a hidden (type or via css:display) AND disabled text field in the form, 1password fills it with the username which breaks the functionality of many sites that rely on hidden form fields. It would seem logical that if a field is hidden and disabled, that it probably isn't the username field and shouldn't be modified?

Concrete example: my german bank account login (sorry I can't give you test credentials. )

https://banking.dkb.de/portal/portal//

There are some form fields besides the actual user/password. The name and id are random on all fields (including the actual username/password fields). This particular one is the problem in this case.

<input type="text" name="ohKSXOepwhenscyO" id="ohKSXOepwhenscyO" value="0" disabled="disabled" style="DISPLAY: none" size="1">

The above field is disabled and hidden (via css), but 1password has set the value to my username in addition to the actual username text field.

document.getElementById('ohKSXOepwhenscyO').value; // contains my username inserted by 1password

The bank has a nice little bit of javascript in the page as well to validate that the login form is only submitted once per pageview. Of course because 1password put my userId in the hidden/disabled text field, I get the alert popup and no login.

<!-- (function(){ IF.checkFirstSubmit = function() { field = document.getElementById('ohKSXOepwhenscyO'); if ( field.value == '0' ) { field.value = '1'; return true } else { window.alert('Ihre Daten wurden bereits abgesendet!'); return false } } }()); -->

I can work around this with a user-script or just copy and paste credentials from 1password into the form fields...but would be nice if this was fixed.

I am not sure the background on why 1password browser extension is inserting username in hidden/disabled text fields, but if there isn't a good reason, it would be a nice fix.

Suggestion

Don't modify value of input where:

`

  • input type="hidden"
  • or where input.style.display == 'none'
  • or where input.disabled == true
    `

Thanks.

-Matt

«1

Comments

  • MeganMegan 1Password Alumni

    Hi Matt ( @matp )

    We've seen several users reporting difficulty with form-filling on the website you mention, and our tech gurus are working hard to find a way to make form-filling better and more automatic with this and other sites.

    Thanks so much for providing that detailed feedback, it has been passed along :)

  • how soon can an update be expected?

  • MeganMegan 1Password Alumni

    Hi @danie1,

    Form-filling improvements is something that is always on our to-do list. Unfortunately I can't say anything specific about when we'll be able to solve the riddle of this particular site. We really appreciate your patience as we work to improve 1Password's filling performance.

  • So I got an update from support that indicated this problem has been fixed in 1password 4. It sounds like they don't plan to patch this in 1password 3. Support suggested that the "fix" for this issue was for me to pay for an upgrade to 1password 4.

    I understand not wanting to maintain old code and having the dev team busy with the new version. However as a consumer 1password 3 works perfect for me aside from this one issue. I only purchased July of last year...so already being forced into a paid upgrade already doesn't make me feel very good.

  • Are there any updates to this issue? It's still present for 1password4.

  • MeganMegan 1Password Alumni

    Hi @matp,

    I'm so sorry if you are feeling forced into an upgrade. That is certainly not our intent. There are, however, a few factors that come into play here. We are a small company, and our developers are mostly focussed (as you say) on polishing some features and squashing some bugs in 1Password 4. This doesn't mean that we are ignoring 1Password 3, but time constraints do factor in - there's just not always enough hours in the day to do all that we would like to do! And we would love to patch up 1Password 3, but unfortunately because the extension has been completely re-written in version 4 (in part to get around problems like this!), it's not a simple matter of adding the new code to the existing extension.

    I hope this helps to understand the situation a bit better. I know it's not a perfect answer, but we will do our best to add fixes to 1Password 3 when it is possible.

  • This bug is affecting me in 1Password4. What's odd is that the "Show web form details" button shows me which forms fields 1Password knows about, and I'm surprised that it fills in other fields too!

  • MeganMegan 1Password Alumni

    Hi @io41 and @akrabat,

    I'm sorry that you're having difficulty with the filling feature in 1Password 4. Are you having this trouble with any websites in particular? As I've mentioned previously, this is something our tech gurus are committed to improving, and the more information we have about the situation, the better. If you could provide us with some websites that aren't filling correctly, we'd love to do some testing on our end. :)

  • I have the same issue, one workaround I found is to edit the form on 1password and only keep the password (a strong one). Then I just need to learn the login.

  • MeganMegan 1Password Alumni

    Hi @cbou,

    Thanks so much for including your workaround here. I do apologize that you have found it necessary! If there are any specific sites that are doing badly here, while I can't promise immediate progress, if you let us know which sites you are having this trouble on, I will file it with our filling gurus to see if they can't improve 1Password's behaviour on such sites in the future.

  • @Megan, yes, https://banking.dkb.de/portal/portal/ , same as the author who started this thread.

  • MeganMegan 1Password Alumni

    Hi @io41,

    Thanks for confirming that for me! I'm sorry if I misunderstood your original post. Unfortunately I have no updates right now on this particular site. If we can improve 1Password's behaviour here, we'll be sure to let you know!

  • I have the same issue, same site: https://banking.dkb.de/portal/portal/

  • MeganMegan 1Password Alumni

    Hi @post,

    Thanks so much for including the link! Our tech gurus are aware of the issue with this site, and they are looking into ways to make 1Password's behaviour here better. Unfortunately, I can't promise anything, but we'll do our best. :)

  • TeqTeq Junior Member

    Can we get some proper feedback on this, rather than "sorry, we're working on stuff to improve, but can't promise anything"?
    This issue is really annoying and defeats the purpose of having a single password, if I have to remember different passwords for the websites that HAPPEN not to work.

  • MeganMegan 1Password Alumni

    Hi @Teq,

    Unfortunately, banking sites can often be tricky to test for us here. Without an actual account, we have to fill in dummy information, so we never actually see a successful result (we can't actually log in using "test123" as a username and password!) This sometimes makes it difficult to pin down where the error is coming in. In this case, I've just spoken with one of our form-filling gurus, and he is unable to reproduce the error. If we can't see it, it's a lot harder to fix.

    That being said, I'm wondering if you can help me with a bit of a test. First of all, I'm curious: have you tried using MikeT's suggested steps? If not, please see if a Login created like so behaves any better. Additionally, please try disabling auto-submit. Does the entry fill correctly if you do not ask it to submit?

    I do apologize for the inconvenience here. I know how great it is to have 1Password fill in sites automatically, and I grumble slightly under my breath every time I have to copy and paste a password manually. I wish I had a better answer for you - please let me know if submit helps things behave a bit better!

  • edited January 2014

    Its time for me to add my 2 cents to this discussion. You can test the issue even if you do not have a banking account on https://banking.dkb.de/portal/portal/.

    1. Test failed login w/o 1password:
       - enter by hand: user: foo pass: bar
    ---> u ll get a response from the server
    
    2. Test autofill but not auto-submit foo/bar with a prepared 1password entry:
       - create an entry for the dkb.de site in 1password user: foo pass: bar
       - set auto-submit:OFF in that profile
       - open the url https://banking.dkb.de/portal/portal
       - fill creds with 1password extension
       - submit by clicking the login btn "Anmelden"
    ---> u ll get no response from the server, but a javascript method 
           creates a div with a message "Ihre Daten wurden bereits 
           abgesendet!"
          translation: "Your data has already been sent!" . 
         This is a misguiding message, cause the data actually has 
         not been send. The devs of that site made a mistake here.
    
         expected: same behavior like Test 1
    

    Note: same happens with auto-submit:ON

    The test should be enough to reproduce the issue. Also reread carefully what the OP @matp posted. I think his Suggestion could be the correct solution.

    Anyway, I could fix the site for my personal use, with the help of a local greasemonkey userscript, which disables that stupid javascript-check on that site. But a general solution might be @matp's suggestion. Please use my TEST to verify his suggestion.

    Cheers
    Russ

    my userscript:

    // ==UserScript==
    // @name        dkbFix
    // @namespace   
    // @include     https://banking.dkb.de/portal/portal/
    // @include     https://banking.dkb.de/portal/portal//
    // @grant       none
    // @version     1
    // ==/UserScript==
    
    //disable stupid checkFirstSubmit function, 
    //which prevents login after using 1password to fill in the username
    IF.checkFirstSubmit=function(){};
    

    This is a site-specific solution, which is not feasible as a general fix for 1password. @matp has the right idea IMHO.

  • MeganMegan 1Password Alumni

    Hi @Russell_Stout,

    Thanks so much for adding your two-cents here! I'll pass this along to our filling gurus (I'll admit, I'm not a developer, so my understanding of html and javascript is still very basic.) But since, as you say, it is likely that the web developers made a mistake (or did things in a unique way) when coding the site, we might not be able to get 1Password to behave properly here.

    For the time being, this is just one of those websites where you'll have to copy and paste your user information from 1Password into the fields manually.

    I really do wish that I had a better answer for you all - your time in testing is much appreciated, and we will update you here if we are able to make any progress on this issue!

  • edited January 2014

    @Megan, let me rewrite. That javascript message is actually not a mistake of the dkb-devs. They could not know (test) that somebody tries to fill in the form values automatically. The message they produce is correct for the case they had in mind.

    Anyway, and don't take me wrong, it would be nice to read some opinion of your 1Password filling guru on the suggestion of @matp. I am pretty sure agilebits can get 1Password behave properly on that site.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    Hi, guys. I work on the browser extensions quite a bit, and I recently made a change that I think should help with this issue with filling fields that are not visible to the user. (Please note I say not visible rather than hidden since <input type="hidden"> is an actual HTML construct, and I don't want to confuse things here by mixing up our terminology.) I made the change for 1Password 4 extension. Our code has diverged quite a bit since 1Password 4's release, so I will need to manually migrate this change over to 1Password 3 at some point.

    Could you give the latest 1Password 4 extension a try and let me know if you still have trouble with it filling these non-visible fields?

  • Thanks @jxpx777, I've tried the latest 1Password 4 browser extension, and the beta browser extension too, but the same issue occurs. Here's a video showing an end-to-end test, including creating a login in 1Password. It's only 40s long but show's how to easily reproduce the issue even without banking credentials. https://www.dropbox.com/s/h7xhq9vppg2f5cn/dkb1password.mp4

    Here's a vimeo version, but that's still encoding and won't be viewable for about 30mins:

  • edited January 2014

    Looking at that video, I have to correct my description of the TEST I proposed. In Test2 hitting the submit btn does not create a div. As we see in @io41's video, it is an alert box. I thought it was a div, cause I used Firefox, which displays alert boxes that look like overlay divs.

  • edited January 2014

    @io41 to make sure for @jxpx777, you tested the version he uploaded, you should mention the version number of your browser addon.

  • io41io41
    edited January 2014

    @Russell_Stout @jxpx777 sorry, I did not see an uploaded version here so I presumed it was the latest beta on the official download page. In the video above I tested on the latest stable release (4.0.1) and the current beta, which was at version 4.1.0.b2. Both had the same behaviour.

    Edit: Added tested version numbers

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    I've narrowed down the code that's being triggered on the site, but so far I haven't been able to figure out where it's being triggered from 1Password's filling algorithm. I'll investigate more and see what I can find.

  • @io41: With uploaded I did not mean he uploaded it here. He uploaded to the server(s), that deliver the extensions. You should go into Safari-->Settings-->Extensions and see if there is an update available for the 1Password extension. And write down the version number you read there after you eventually updated the extension there.

  • @jxpx777 awesome, thanks for investigating!
    @Russell_Stout Cool. I went straight to https://agilebits.com/browsers/index.html and installed from there.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    Hi, guys. I found the issue and pushed a fix for review, but I expect there to be some internal discussion and debate about it as it makes a pretty significant change to our core filling algorithm. It might be a little while before the solution is available in a release, but I wanted to update you all with the latest information since you've been so helpful in getting to the bottom of it. Thanks for your patience!

  • @jxpx777 that's a mil for all the effort, the feedback and keeping us in the loop. Also, wooohoo! :-) I realise code & architecture reviews can take quite some time but it's great to see it's getting all this attention.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    It's my pleasure, @io41! Now that we know exactly what's happening, we'll have a solution one way or another fairly soon. :)

This discussion has been closed.