Help!—Suspicious messages from 1Password this morning,
Here is the text of an email I just sent to 1Password support but maybe the forum will have an answer....
Hello 1Password/AgileBits team,
I have been using 1Password for a long time, trusting it, and recommending it to friends. But this morning my confidence was shaken.
Here is what happened: Periodically I get an upgrade notice on my iMac, telling me that an upgrade to 1Password is available. I always click the download-and-install option. I did so this morning and everything seemed to go well. As usual after the install, or upgade was finished, ` Password opened on my desktop, and I checked that it was still working correctly by entering my master password. No problem. It worked.
Later however, as I opened my Chrome browser to check my email, a small window appeared, seemingly from 1Password, with a 7 digit “authorization code in it. I also have the small 1Password icon in my menu bar and a couple of minutes later, a small drop-down window appeared from the 1Password icon in my menu bar, with the following message:
"1Password requires an authorization to work with Google Chrome. Click Authorize if the code below matches the one in your browser.” And there was a number, this time only 6 digits, without the first “0” that I saw in my Chrome browser.
What is going on? I have had the 1Password extension installed and working in my Chrome browswer for a long time, and never saw anything like this before…Does this have anything to do with the 1Password update that I did this morning?
(the 1Password extension is also installed in my Safari browser). If a whole new security system is now required I would have expected a careful, security-based firm like Agile bits to have warned me and explained it in an email, at the very least.
Finally, in addition, that pop-down window from the icon in my Menu Bar now shows a different 6-digit number, and more annoying, and more worrying, it will not go away, when I click on the “Cancel” button right next to the “Authorize” button.
Please tell me what the devil is going on. Should I be concerned. Should I stop using 1Password? What does all this mean. It seems very strange…
Thank you for taking this question seriously, and replying as fast as possible.
Lito Tejada-Flores
1Password Version: 6.3.4
Extension Version: ??
OS Version: OSX El Capitan
Sync Type: Not Provided
Comments
-
Hi @litotf,
Thanks for taking the time to write in.
This is one of the steps that we are taking to improve the communication between the browser extension that lives in your web browser(s) and the 1Password mini that lives in your menubar. The interaction you've described is normal, and if the numbers match up you should approve the communication. If they do not, somehow, then please drop us a message so we can see why that might be. Do not approve a request where the numbers do not match.
We are working on getting more details about this change out.
Thanks!
Ben
ref: KVS-61391-121
0 -
Thank you, Lito, for posting this question. I had a similar experience this morning though with Firefox on a MacBook Pro. I'm not sure why but despite it appearing as a usual agile bits message, I felt suspicious and came here to check.
Thank you, too, Ben for the prompt response to Lito. However, perhaps it is just me but I had to guess which section of the forum might have an answer this. Yes, I'm not very smart, I know but maybe the inclusion of a "Current Issues / Alerts" or some such section would be useful for any future incidences of this nature or for speedy reports and access to information on what might appear as suspicious activity.
I guess that this being a password program, it would be normal for most users to be a little more wary even than normal.
0 -
Thanks Ben
0 -
You're both very welcome, and thanks for the feedback!
Ben
0 -
Hi,
I had also a similar problem. The 1Password mini asked me to authorize Safari but first I had no such a page on Safari then when I reloaded it the page arrived with the same numbers so I accepted and another dropdown with different numbers appeared and no way to make it disappearing. So now every time I open a browser Safari or Chrome, the dropdown is there even if in the browser window it say everything is OK. :(
0 -
Just a note that when 1PW 6.3.3 informed me that an upgrade was available it gave me information about the upgrade that mentioned this new authorisation process. Yes, AgileBits should probably give the explanation in several places, but if people don't read the description of the upgrade then they won't see important information.
0 -
With all due respect, I don't appreciate a moderator implying that those who have asked about this upgrade are too stupid, uninformed, lazy or whatever, to not read the information given by AgileBits. This is typical "blame the victim" rhetoric and completely at odds with the excellent client support offered by Ben, earlier today. I think, Danco, that if this is the style of response you make then you are not suitable to act as a moderator.
The fact that other information is presented does not necessarily mitigate the suspicion, in an instance such as this, that the email may be fraudulent. We who use the Internet continually, as I presume that you do, too, are well acquainted with both the obvious "Nigerian" and "Make a billion bucks in a week" type of obvious scams and the more subtle attempts at phishing, etc. when official sites are mimicked in almost if not every respect. It can be very hard to pick those.
I, too, saw the extra information but it, too, could well have been a bogus explanation aimed at deceiving those with doubts. That is why I logged directly into the AgileBits site and I believe that a good moderator would advise that __whenever a user is uncertain of a message, that they log in to the official site and check it out.__
As it happens, this evening when I came back to my computer and attempted to use the mini icon to log into Twitter and other places, I discovered that it simply does not respond. I don't know whether that is a result of that change or something else as I've just discovered it. However, I do know that prior to that message and my upgrading, 1Password was working without a problem. Now it isn't.
Please don't get me wrong. My intention is not to be rude or put you down but to advise that your comment is inappropriate in its somewhat superior tone and what it implies about others. Many of us are not well-versed in IT or the Internet or whatever. What seems straight-forward practice to you and I may not seem so to others. Let's support and encourage the development of expertise and safety, rather than give advice that may well cause some users not to ask again, lest they be made to feel foolish.
0 -
The instruction to compare numbers makes no sense to me. Where within Chrome will I find a "number" to match with 1password? I have never heard of a number of this sort.
0 -
With all due respect, I don't appreciate a moderator implying that those who have asked about this upgrade are too stupid, uninformed, lazy or whatever, to not read the information given by AgileBits. This is typical "blame the victim" rhetoric and completely at odds with the excellent client support offered by Ben, earlier today. I think, Danco, that if this is the style of response you make then you are not suitable to act as a moderator.
I don't see that implication at all in danco's post. I'm sorry that you felt it was there though. I believe all danco was trying to do was address this point in your original post:
Does this have anything to do with the 1Password update that I did this morning?
By pointing out that the release notes for the update contain this information, and suggest that in the future you read them as they do often contain important information such as this.
Please don't get me wrong. My intention is not to be rude or put you down but to advise that your comment is inappropriate in its somewhat superior tone and what it implies about others.
Tone is something that is very difficult to deal with in a text only communication. danco can speak for himself but I don't believe he intended his message to be read in a negative tone.
The fact that other information is presented does not necessarily mitigate the suspicion, in an instance such as this, that the email may be fraudulent.
It was not presented in an email. It was presented in the release notes, which are part of the update itself.
That is why I logged directly into the AgileBits site
And that is just fine. That is what we're here for. And we addressed the issue for you here. As I mentioned I believe danco was merely correcting an oversight on my part in pointing out that the information you were looking for (an announcement from us) was in the release notes for the update.
I don't know whether that is a result of that change or something else as I've just discovered it. However, I do know that prior to that message and my upgrading, 1Password was working without a problem. Now it isn't.
I'd like to ask you to create a Diagnostics Report from your Mac:
Sending Diagnostics Reports (Mac)
Attach the Diagnostics Report(s) to an email message addressed to support+forum@agilebits.com.
Please do not post your Diagnostics Report(s) in the forums, but please do include a link to this thread in your email, along with your forum handle so that we can "connect the dots" when we see your Diagnostics Report(s) in our inbox.
You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here so we can track down the report(s) and ensure that this issue is dealt with quickly. :)
Once we see the report we should be able to better assist you with this issue.
Thanks!
Ben
P.S. Just to be clear: Community Moderators are not AgileBits employees or contractors. They are volunteer community members who have stepped up to help other community members.
0 -
The instruction to compare numbers makes no sense to me. Where within Chrome will I find a "number" to match with 1password? I have never heard of a number of this sort.
The number will appear within the 1Password browser extension in Chrome and within 1Password mini in your menubar. The numbers should match.
Ben
0 -
Ben - I had the same problem. I was suspicious of the notification regarding the update, so I went to the app to do the update. The app update gave no directions regarding the authorization procedure. I also had no idea where to find the number to confirm the authorization. After several iterations in procedure, a new number appeared, along with another window with a corresponding number, so at that point I confirmed the match. 1 Password and the extension seemed to be working, but now the extension does not seem to be working and the original window with the first number I got is still open and will not go away. The original window will not respond to either the "cancel" or "authorize" buttons. What do I do?
0 -
I just went into the list of Chrome extensions and there are two that reference 1Password but there is nothing that mentions some code number. Still confused.
0 -
At this point in time the confirmation of the security code is not possible as it is not shown in 1P!. Safari extension stopped working!
I wrote this email to support:
Code is shown in browser but not in 1P!!!
Extension stopped working in Safari!
1P helper App crashes frequently!
Please repair soon!
macOS 10.12.0 (16A323) · Safari Version 10.0 (12602.1.50.0.10)
1Password 6
Version 6.3.4 (634001)
AgileBits StoreSafari Extension 4.6.1 (tried both from Gallery and from AgileBits)
0 -
I do get a bit impatient at times, and wonder why people aren't seeing things that seem so obvious to me.As I am not an AgileBits staff member, and do not represent them, I feel just as entitled to express this impatience as any other user. Sorry if this offended you.
I agree that I would not trust an email recommending that I made an upgrade. But I do trust a message that comes in the program itself (not in email, not in a web browser) advising me of an update. Perhaps this is riskier than I realise. But I would never install an update without seeing some information about the update, and in this case we were told that the update would produce this authorisation procedure.
That said, it is clear that the authorisation was not as smooth as it should have been, and I would never be critical or dismissive of anyone who couldn't get it to work. In my own case, Safari produced the authorisation with no trouble, but in Firefox the extension just didn't work and I had to remove it and reinstall to get an updated extension that did work. And there seem to have been other issues as well.
0 -
When people see new and unexpected behavior in a security product, they can't be blamed for being suspicious. And I can't blame anyone for not reading the release notes (or with sufficient care) on the upgrade.
During beta testing and also during the time that this has been in the stable releases for 1Password for Windows we've had the opportunity to try to figure out how to make this clear to people and as our early beta testers know there have been lots of improvements during that time. But getting this right for everyone is tricky. A sizable number of people rarely open the main 1Password application, and so putting a notice in there will offer little help, and just be another "strange behavior".
For example, although (almost?) all of us use Bartender, we missed a Bartender interaction that affects people who work in ways that we didn't consider and didn't come up in testing. Beta testers also tend to be more comfortable with things changing on them. So there are things like this that our testing failed to highlight.
But while there are things that we might have done differently if we knew last week what we know today, a lot of the things that we could have done differently come with their own problems. We could have had more explanation in the text shown in both both the browser extension and in the mini/agent popup, but in general, the more text you have the more likely the whole thing will be ignored.
So sorry for the scare. I'm not sure that we could have handled this much better than we did, but there are certainly things for us to learn from all of this.
0 -
the mac version is hosed. 1st, every time something like this happens, i do the recommended fixit steps but they don't work. the only thing that works is your next update so I am without 1password mini in the browser until then.
clicking the mini icon in any browser or right click menu locks the mac app. the mini won't launch to accept the code. I am sorry that the mods are arguing about tone but you guys ship stuff that should be in full releases in point releases. new features only help if they work. I didn't need to spend an hour this morning & for all the security of 1password, I've been slowly migrating my less secure site passwords over to the built-in password managers in Opera especially.
I trusted that an update wouldn't stop something from working. I'm sorry if my tone is a little rough. This morning has been the most frustrating one as an owner since 1password 2 or so. Tone matters when a customer is unsatisfied. Thank you for your time & consideration.
0 -
I would like to chime in. I hope that my words are more constructive than anything else.
I read the update release notes and still experienced problems. Somehow, it worked itself out, but I'm really not sure how. The authorization window remained open for all browsers, even though I typed the correct code. There was NO feedback whatsoever. After a re-start, the authorization pop-up window (which blocked both the 1Password icon and browser search field, finally disappeared. I wasted a good hour on this.
Now for the constructive criticism: Your release notes are way too long and far too cryptic, so I don't blame those who either don't read them or brush by them. Not for anything, but I really don't need the cutsey humor injected into most of the release notes either, it just gets in the way of what I really need to know. I just want you guys to get to the point and tell me the upgrade features......in plain English.
As an aside, I recently purchased a new iMac and it took me a good 6 hours getting the 1Password to work. I scoured the forums and none of the solutions worked, including creating a family account, which was a waste of time and did nothing. I finally got it working (i believe syncing with my iPhone iCloud did the trick, but if I had to repeat the steps to the average user, I don't believe I can. I LOVE the app...it's by far my favorite, but everything seems so complicated and cryptic. One update even killed auto-submit and I had to scour the internet to find the zip file to correct this.
It's come to the point that I regret seeing a 1Password upgrade, especially if everything works, afraid that things might get broken or complicated (like today).
Please do not take this as an insult. Again, I love the app and the support given. Nothing is perfectand hopefully my gripes will be taken as constructive criticism.
0 -
I hope I'm not contributing to some flame war here because I understand that some people were surprised and felt nervous. But the update message was succinct and to the point:
I understand that people don't always read release notes. But what more could they have done to alert people of the change?
0 -
@pervel: Thanks for weighing in. To be honest though, not everyone reads the release notes. I wish there were a better way. It's hard to be unintrusive and informative simultaneously. I have automatic updates disabled for the express purpose of reading all of the updates, but I realize I'm probably in the minority. :lol:
@passthehat: I'm sorry for the inconvenience this has caused you. However, it was very important for us to not wait to release the new mutual authentication feature both due to specific security concerns and also because, just in general, it would be foolhardy and irresponsible of us to sit on our hands and not improve security when we see room for improvement simply because the timing is inconvenient.
I'm also really sorry if we're coming off roughly about this. I can only speak for myself directly, but I suspect I'm particularly guilty of this at times, because security is a very serious matter to all of us. That's why we make 1Password and why each of us uses it. I personally find it very difficult to strike a balanced tone when so much is at stake: the sensitive data we all entrust to 1Password. I don't want to give anyone the impression that this is something which should be taken lightly.
@robncourt: I think your comments are also very apt under the circumstances. Even with release notes it's impossible to strike a tone that works for everyone. Some people love them; some hate them; some don't care one way or the other. I think more than anything our goal there is to try to grab people's attention so that they do read them. Often there's not a lot of earth-shattering stuff there, but again, this is software we all depend on heavily, so I think there's an argument to be made that we should all have some sense of what's going on. If we can entice or annoy someone into reading even that small paragraph that pervel posted, it can give them an idea of what to expect.
And please, please don't be a stranger! I'm glad you're here now, but I'm sorry to hear that you've had troubles with 1Password in the past and never contacted us, instead suffering the lonely fate of sifting through search results. That's what we're here for. We want to help. So I hope that if you (or anyone else) encounters further issues — or has questions, comments, or suggestions — that you'll reach out. We're here for you. :blush:
0 -
As someone who did read the release notes and knew about the new authorization system, I still have no idea what to do. The in-browser message says "Compare this code to the one shown in 1Password." There is no code shown in 1Password. It's not in 1Password mini and it's nowhere to be found in the app (I looked through all the settings panes…nothing). Maybe make sure your new thing actually works before blaming users for not reading the release notes.
0 -
With reference to my comment [Mikisdad October 18] and my reference to Danco's post [Danco October 18] and Ben's response to me [Ben October 19].
I was not seeking to start a "flame war". "I was not meaning to demean anyone". "If I reported the message as email and it was not then I apologise for that mistake; I saw the message during a morning check of my email and I can only think that it must have come as a notification [or something] during that time and I've not realised. I did not intend to misrepresent the message.
I accept that the 1Password crew do what they can to keep users informed.
I apologise to those who were offended by my reference to Danco's tone for I didn't and don't mean to offend anyone. I do however stand by my assessment of the tone and its possible implications for some.
Notwithstanding my previous paragraph, I note Ben's comment that Danco is a voluntary moderator and accept that I may have been unfairly critical. I am a mere mortal and I make mistakes. I think that my frustration probably influenced my own response as I felt that I was being criticised for not having read the instructions and because, all too often, I find the victim being blamed for his or her own circumstances. [For example, the poor, the dispossessed, the uninitiated, the unemployed, the disabled, the unschooled, etc.] However, mitigation does not remove guilt but only, perhaps, explains it. For that reason, I also apologise to Danco.
I apologise to those who have no interest whatsoever in reading a comment such as this and who consider me to be some sort of expletively qualified waste of space.
In future, I promise that I shall do all I can to resist any urge, driven by frustration or otherwise, to seek clarification and, in doing so, risk making similar mistakes and offending again.
Please all have a good day.
0 -
Thanks for this reply. As the one who started this issue by being sharp to users, I am happy to accept the apology and see no need to discuss the matter further.
We all get frustrated at times, I guess your frustration explains your tone, and my frustration (I sometimes feel I am devoting more time to helping others than is good for the rest of my life) explains my tone.
So enough of this. Let's go back to discussing the actual problems that have occurred in the upgrade process, some of which affected people even if they had read the release info.
0 -
@mikisdad, @danco: I feel like the takeaway here is that there's always more that we can do to make 1Password both secure and easier to use, particularly when we make user-facing changes like this.
For example, this change was described in the opening paragraph of the release notes for 6.3.4, which is shown with the update:
But certainly not everyone looks at that when its presented, so we've made some changes in yesterday's 6.3.5 update to compensate for some 3rd party software interactions and also improve the visibility and clarity of the authentication (along with a link for more details):
This should help a lot of people, and we're open to more feedback if anyone thinks there are other ways we can improve this security feature for everyone. The feedback on this has been greatly appreciated, and I'm sorry where we've failed in making things clear enough.
@stormchild: Please update to 6.3.5, restart your Mac, and if you have have any further trouble be sure to provide some basic information about your setup: OS, 1Password, browser, and extension versions you're using, the exact steps you're taking, and what is (or is not) happening the way you expect so we can figure out the best plan of action. Thanks in advance! :)
0 -
I have exactly the same issue as @stormchild , but at the moment there is no 6.3.5 update available to me? Has it been released yet @brenty ?
0 -
@Tomtids: 6.3.5 should be available, but if you're using the Mac App Store version sometimes it can take time for an update to propagate to everyone.
Either way, while 6.3.5 will help in some cases, we don't need to rely on that. Unfortunately without some basic information it's hard to say what might be going wrong and how we might right it! Please tell me the OS, browser, and extension versions you're using, the exact steps you're taking, and what is (or is not) happening the way you expect so we can figure out the best plan of action:
http://support.1password.com/cs/version/
The more information you can give, the better. For instance, I've been seeing more cases of Firefox not updating itself or extensions, both of which can cause trouble for using 1Password there. But of course, I have no idea if you're even using Firefox! Let me know. Thanks in advance! :)
0 -
Thanks @brenty
I am on a mac, OS version: 10.11.5 (15F34)
I am using Chrome version: Version 53.0.2785.143 (64-bit)
1 password version: 1Password Version 6.3.4 (634000) Mac App StoreWhen I restart my Mac and start Chrome the screen is taken up with the "Compare this code to the one shown in 1Password." message (see grab).
However, when I open the 1password in my system tray or the one in the chrome toolbar there is no code to compare it with.
0 -
Hi @Tomtids
I wonder if you've been able to update to 1Password 6.3.5 now, this will probably help you sort everything out. I don't know whether you're using the version from our site or the AppleStore, but if it's the former you can go to Preferences then Updates and check for updates to see if it kicks in this way. If you still can't get 6.3.5, are you using Bartender or a similar app? If so getting 1Password mini (the one on the menu bar) out has done the trick for most people.
Please let us know how this goes for you :chuffed:
0 -
@Tomtids: I also wanted to add that while 1Password 6.3.5 just came out within the last day or so, Chrome 54 has been out for over a week and El Capitan 10.11.6 has been out for nearly two months, so please update both of those as well. While the El Capitan update probably won't have an impact on this issue, it includes important security fixes and improvements. And the 1Password and Chrome updates will definitely help your situation here. Chrome in particular, when an update is pending, will break extensions. I suspect that the Chrome update alone will resolve the issue, but the others are important as well. Please let me know how it turns out!
0 -
Ah - its not all good @brenty . Every time I start my computer now I get this error:
0
