New eBay checkout filling issue

Filling seems not to work properly on the new eBay checkout when you pay with PayPal. Username gets filled to coupon field and password to nothing. 1Password also thinks I'm trying to login to eBay when I actually login to PayPal (PayPal is integrated to eBay somehow). I'm using Chrome. Please test this yourself (pick item, buy it and then choose paypal as payment method), it is hard to explain it further :)

@ollifi: Indeed, this isn't an eBay issue, a PayPal issue, or a 1Password issue, even though it involves all three to peripherally. This is a security issue. That may sound absurd, but it's on me to back up that statement. I had an idea what you were talking about, but wanted to confirm the details. This is the URL stub I'm getting when I checkout with eBay:

https://mbuy.ebay.com/xo?[RandomSessionID]

You'll notice that PayPal isn't in there. 1Password, by design, will never offer you a login for a URL that doesn't match it. You may very much want to use your PayPal.com login at eBay.com, but 1Password filling it for you there would be no different than if it did so at www.paypa1.co.mu (as a made-up example phishing site — edit: and that's actually a number 1 and not a lowercase L, so the fact that they look identical also illustrates my point). Phishing scams are real and have probably affected someone you know. So 1Password is designed not to fill a login saved with one URL at another.

Now, you can actually add "ebay.com" to your PayPal login item as an additional URL if you'd like to use it on both sites. But it's important that 1Password takes a staunch, cynical view of non-matching URLs to protect us in the 99.99% of other cases.

I hope this helps. be sure to let me know if you have any other questions! :)

@ollifi Right now, we don't support this kind of filling. This could be a security concern because the parent frame has full access to the frame. So, while you might trust eBay in this way, other sites might be less trustworthy. It's unclear to me why eBay is approaching the payment process in this way. There are well defined ways for interacting with PayPal that do not require the user to fully trust the parent site, so I'm not sure why eBay have decided to approach the checkout process in the way that they have.

--
Jamie Phelps
Code Wrangler @ AgileBits

@ollifi: We won't be making an exception. That's a recipe for disaster. But if we can find a reliable way for 1Password to detect this and a good way to make it clear to the user what's going on, that may be a better approach that we can pursue in the future. But security comes first. We absolutely don't want to allow the possibility of 1Password filling in inappropriate places, and we also don't want to give the user the impression that this is happening, even when it isn't. We each have a right to know what 1Password is doing with our data. :pirate:

@ollifi: Indeed. That's definitely a big concern on our end, but also intuitive consistency is something we strive for in the user experience, since an app behaving "unpredictably" would cause me to trust it less and feel uncomfortable relying on it. So we also need to take into account that any exception we make is something else the user has to track in order to know what to expect when they use 1Password in their browser. It's not an easy call.

You're absolutely right that in this particular case it's almost certainly safe, given HTTPS and eBay and PayPal's established reputations. I don't mean to diminish that in any way. I use — and trust — both myself. But we need to consider all the ramifications of going down that path — and perhaps a better one can be found. Thanks so much for your thoughtful feedback on this! :chuffed:

@shaines186: That's like saying that you have to use a weak password for any iOS app which doesn't support the 1Password extension -- and that's a lot. Certainly it's less convenient than 1Password being able to automatically fill, but copying and pasting a strong password isn't so bad at all, especially compared to the alternative of an account compromised. As Jamie mentioned, this has repercussions far beyond eBay/PayPal, so while we won't say "never", we will say "not unless it can be done securely to avoid exposing 1Password users to phishing attacks".

It's your call, but if you control the device and use a long, strong unique password for your eBay login, having eBay remember your PayPal information is still more secure than using a weak password you can memorize and enter manually, since anyone could use that to get into your PayPal account.