Username revealed as plugin opened

When I go to a website and click on the 1Password icon in the toolbar, it re-opens the previous 1Password div, and then overwrites it with the prompt for the master password. Sometimes (not very often) there is a pause long enough for whoever is browsing to read the site and username.

To log into one of my accounts, an attacker needs a username and a password. A username isn't halfway there, but it is a contribution. Please don't give it away.


1Password Version: 7.2.580
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: None

Comments

  • Hi @CloseAtHand,

    Thanks for reporting this.

    This is a known issue with the interface rendering cache, which we're working to resolve. You're not seeing an actual item list but a cached image from before the auto-lock kicked in, it is not stored on disk but only in memory. We're trying to tell Windows to reset the cache when locking but it doesn't want to listen to us, we'll get it fixed.

    To log into one of my accounts, an attacker needs a username and a password. A username isn't halfway there, but it is a contribution. Please don't give it away.

    Do you mean people walking by your screen when this appears?

    No decrypted version of your 1Password data is ever stored on disk, even with this UI glitch. You cannot copy or anything like that when this happens and your passwords are never exposed as, by default, 1Password conceals it.

  • CloseAtHand
    CloseAtHand
    Community Member

    Do you mean people walking by your screen when this appears?

    No, I mean if I step away from my desk without locking my desktop, if someone else clicks on the 1Password icon, the cached image is displayed. Sometimes for long enough to be read, which will get them the username to the last site I visited.

  • Hi @CloseAtHand,

    Yep, that is possible. I presume you're resetting your history whenever you exit your browser as well?

    Unfortunately, they could also infect your system if you're not careful to lock your desktop every time you leave.

This discussion has been closed.