Mini autofill logic broken - now attempting to fill when it shouldn’t
![[Deleted User]](https://w9.vanillicon.com/v2/90f69cca3adb71bf34443e4c013f00a9.svg)
This was discussed on the Beta section but only as an aside to another discussion so I thought I would give it its own thread here.
In v7, mini now attempts to autofill every single time you use the keyboard shortcut. This happens even when there is no login field to be filled, or worse - no visible text box at all.
This is a security issue (auto filling usernames and passwords in various text boxes) as well as an annoyance.
This is also a clear change from v6 where the model was, as far as I can tell, only attempt autofill if there is a login field on screen.
For more info see the original thread that mentioned this issue (not sure how to link to a specific comment but it’s about halfway down the page).
Comments
-
Hi @whiteblade,
Filling across multiple Chrome profiles was quite broken in a number of the betas but that was corrected prior to the release of 1Password 7. I feel it is probably important for the discussion if you were to elaborate on the situation where 1Password is filling incorrectly. It should be noted that every version of 1Password from 4 to 7 will attempt to fill the currently open page if you use the keyboard shortcut ⌘\ - nothing has changed here in 1Password 7. If you can detail a reproducible scenario where filling shouldn't happen I will investigate.
0 -
It should be noted that every version of 1Password from 4 to 7 will attempt to fill the currently open page if you use the keyboard shortcut ⌘\ - nothing has changed here in 1Password 7.
I recalled otherwise but clearly I was mistaken if you are so sure. Regardless however of whether or not this was the previous behavior, I am still of the opinion that it is the wrong behavior.
Unless there is a visible login field on screen 1Password should not be attempting to fill my info. Filling into invisible fields is a big privacy concern. In addition, it has also caused me data loss by over-writing what was previously in the field it has erroneously filled.
To clarify, as a user I want two distinct things when I use the keyboard shortcut to call up 1Password mini:
1. When there is a login field on screen - I want it filled.
2. When there is no login field on screen - I want to see Mini in order to (a) edit the current site's entry, (b) extract info from a different login that's relevant to what I am working on, or (c) fill an identity or credit card.I feel it is probably important for the discussion if you were to elaborate on the situation where 1Password is filling incorrectly.
As an specific example of nothing being filled at all, take the page https://discussions.agilebits.com or https://www.facebook.com . On both those pages I use the keyboard shortcut expecting to call up mini and instead... nothing. I am now worried that my info (username and password) has been entered into either an invisible field or alternatively a field I hadn't noticed on the page.
As an example of something being filled that shouldn't, take https://old.reddit.com/submit?selftext=true . Here when I use the keyboard shortcut (in my mind to pull up the mini interface) I instead get the url I had entered replaced with my username. While that's fairly minor, this could also happen to a much larger text field in which I had entered much more text.
0 -
Hi @whiteblade,
It sounds like what will really help here is the alternative keyboard shortcut ⌥⌘\. That's the equivalent of clicking the 1Password button and always shows 1Password mini. The ⌘\ shortcut is defined as fill the open page. If we making filling too strict all we will do is massively increase the number of sites we don't work on. You and I can look at a sign-in form and we see the fields we need to fill but the mess underneath can be sometimes staggering. Sometimes we need to fill read-only fields, hidden fields, faux password fields and then there are the multi-page sign-in forms thanks to limited clues on the page 1Password has to pick its best guess from a bad bunch.
0 -
That's fine, but you failed to address the examples I provided. Is 1Password filling hidden elements on these pages?
0 -
@mikeyh, the issue you've raised is not specific to any beta, the behaviour is consistent over multiple stable versions of 1Password and across platforms. We want to keep the beta forums as focussed on issues specific to beta builds for a number of reasons. If you want a genuine discussion of the issue at hand it is sensible to have it located somewhere more likely to be viewed by the larger 1Password user base.
@whiteblade, if you read my previous reply to you you will notice I directly reference hidden fields.
Sometimes we need to fill read-only fields, hidden fields, faux password fields
1Password only ever fills when explicitly instructed to. The keyboard shortcut ⌘\ is currently defined as Fill Login or Show 1Password in 1Password, the show aspect only applying if 1Password needs confirmation as to which item to fill with. The fill operation, which can only happen when the domains match, will do its upmost to fill the current page using what information it has to hand. We allow 1Password to do its best to fill the page because for this to happen the user must have explicitly instructed 1Password to do so.
Thanks to the staggering variety of designs out there 1Password will interact with read-only and hidden fields. If Login pages limited themselves to always using a visible text field followed by a visible password field we would't need to be more aggressive but this is not the case. The existence of multi-page sign-in forms mean there are plenty of examples where 1Password will need to only fill a text field and sometimes the only compelling factor for that choice is it's the only visible field.
Turning the discussion to when should 1Password open-and-fill over fill, the default action is based on whether the two domains match. If the domains match 1Password will default to filling the current page, otherwise it will default to open-and-fill. To make 1Password only fill when full URLs match would make 1Password unusable for the vast majority of users and seems to ignore the following scenarios.
- Sites with multiple sign-in forms. Citi is a good example.
- Sites that use a multi-page sign-in process.
- Sites that may ask you to re-authenticate yourself e.g. session timeouts
You can always explicitly initiate open-and-fill by clicking on a website field but to force filling only with complete URL matching would break filling in so many places that 1Password would potentially become useless.
- If you ask 1Password to fill a page that's what 1Password will do. If 1Password can't find a sensible field it will reason the page is bizarre and widen its search because the user told 1Password they wanted it to fill this page. We don't automate filling specifically so that the user is in control and 1Password only fills when the user tells it to.
- For basic usability we are also not going to demand strict full URL matching for filling and otherwise default to open-and-fill. It would break filling across a large number of sites and for very little gain if any at all. The open-and-fill action can always be explicitly called and is always available.
0 -
if you read my previous reply to you you will notice I directly reference hidden fields.
I did read your reply, but maybe I wasn't clear enough explaining what I wanted.
Is 1Password filling hidden elements on these pages?
On the specific pages I mentioned, is 1Password filling a hidden element with both my username and my password?
Or more generally, my question would be whether 1Password always fills when the keyboard shortcut is invoked or if it sometimes can't find where to fill and will do nothing at all.
1Password only ever fills when explicitly instructed to. The keyboard shortcut ⌘\ is currently defined as Fill Login or Show 1Password in 1Password
I now understand more clearly what the expected behavior is and can adjust accordingly and use the alt key when necessary. Thanks.
0 -
Hi @whiteblade,
I apologise, and thank you for correcting me - I hadn't understood that you were asking about the very specific examples.
With https://discussions.agilebits.com, regardless of whether you are already logged in or not, filling on the homepage results in nothing being filled anywhere - zero fields have their value altered.
Facebook the likely answer is there aren't hidden fields being filled but I don't have a Facebook account to test with I'm afraid. The homepage I see, the one with the registration and sign-in form I can say we only interact with the visible fields but I'm assuming you see a different homepage at https://www.facebook.com when you're logged in and it was this page you wanted reassurance about. If you're concerned at all changing your Facebook password would mean even the worst case scenario, which I would say is very unlikely, no damage can be done once you've changed your password. I don't believe any hidden fields will have been filled but it would be remiss of me to say this is categorically the case given I cannot test and confirm.
What I would say is the current phrase used for the ⌘\ keyboard shortcut of
Fill Login or Show 1Passwordwasn't always this way and I don't think I like the or in there, not given the fact that 1Password will fill without further prompt if there is a single matching Login item. If theor Show 1Passwordis causing a disconnect from keyboard shortcuts behaviour then that we do need to address.0 -
@littlebobbytables One possible solution is to show 1Password mini if no fields have their value altered. This way, regardless of what I see on the page, I always know for sure whether fields have been altered. If 1pasword mini doesn’t show up, it means that I have a single login for that site and it was filled. If 1Password mini does show up it means that 1Password couldn’t find a login field to fill / wasn’t sure which login to fill.
0 -
Thanks for the suggestion! :)
0
