Autofill on Agilebits forum page (already logged in)

I happend to invoke the auto-fill hotkey while on the forum today and noticed that it strangely filled in my email address into the page number indicator. Is this a concern if it injected it into this space? What is to say that my password was not injected into some other DOM element?


1Password Version: 7.0.BETA-16
Extension Version: 4.7.1
OS Version: macOS 10.13.4
Sync Type: iCloud & Dropbox

Comments

  • mlebarron
    mlebarron
    Community Member

    just checked and mine did that too

  • jxpx777
    jxpx777
    1Password Alumni

    Hey, folks! I agree this is a little bit strange but it's also easily explainable. Whenever you tell 1Password to fill (either with the keyboard shortcut or clicking the item to fill in 1Password's interface), 1Password trusts that there is indeed something on the page for it to fill. In this case, 1Password is finding the text field for the page navigation:

    Looking further, there are only a few text fields on the page, and this "page" field turns out to be the first one that we can't specifically exclude. (We make a point to avoid search fields.)

    Outside of better candidates, 1Password's best guess is to fill in the username in the first field that it can surmise might be the username field.

    I agree that we can probably do better here, but I did want to explain why the behavior is hopefully less bizarre than it might seem. Please let us know if you have other questions.

    --
    Jamie Phelps
    Code Wrangler @ 1Password
    Fort Worth, Texas

  • elDub
    elDub
    Community Member

    @jxpx777: Thanks. I assume that 1P or any other password manager has to make "best guesses" for some of these forms. Perhaps the site developer chooses to use a cryptically named field, or they use a differently named field on different pages. I can see this as being difficult.

    With the idea of "best guesses" in mind, how do I know that my password is being filled into the right fields on a page which may have 3rd-party content (like ads) showing? What does 1Password do to make sure that it is not populating nefarious forms?

  • jxpx777
    jxpx777
    1Password Alumni

    These are excellent questions @elDub!

    One of the most basic things we do is blacklist certain URL patterns from having 1Password's scripts injected. This is in part for privacy/security reasons and also for performance reasons. (We saw one blog that had at least ten posts per page and each post had at least a dozen social sharing buttons and each of those was in an iframe. Having the browser inject even 40KB, which is what our injected script is in the current stable release, into 100+ iframes and manage dispatching messages to all of them quickly bogs down the browser!)

    But for documents that are not excluded by 1Password's blacklist, when you ask to fill a particular Login (credit cards and identities aren't restricted to particular sites for obvious reasons), one of the very last things it does before actually filling is to make sure that the domain for the document it's about to fill is allowed for the Login that is being filled. This means that even if the Login you're filling is allowed to fill on the URL of the tab's top frame, it won't be allowed to fill into iframes' documents if the URL isn't also in the list of URLs added to the item. Because of how browsers separate extensions' Javascript execution from the page, this determination isn't even visible to the page at all.

    I hope that makes sense. Let me know if I can help further!

This discussion has been closed.