Autofill phishing using hidden text boxes

I saw the following report in the news today about stealing information using browser autofill functions, has 1Password addressed this already? The article mentions that LastPass is vulnerable.

https://www.theguardian.com/technology/2017/jan/10/browser-autofill-used-to-steal-personal-details-in-new-phising-attack-chrome-safari


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jxpx777
    jxpx777
    1Password Alumni

    Hi, @aj_lawrence. We saw the same report and have been discussing it a bit as well. As with many (most?) things in security, everything starts with trust. If you don't trust the website you're on not to be engaging in such practices, then I would be very cautious about entering any information there, whether using your browser's autofill or 1Password form filling. Just like you should not be downloading software from sites that you do not trust, you shouldn't be giving your information to sites that you don't trust.

    That being said, 1Password does try to help you a bit here. The main thing is that 1Password will only ever fill your information when you explicitly ask it to. This also applies to Chrome's issues here, of course, but it's worth reiterating. But, 1Password also believes you when you tell it to fill fields on the page and it makes its best effort to fill in every field from your Identity or Credit Card on the page.

    It first tries to fill viewable1 fields but then falls back to filling non-viewable fields if no viewable fields match. We're currently reviewing the appropriateness of this behavior. There is a challenge to overcome before we could confidently exclude non-viewable fields from filling entirely without causing inappropriate filling failures for content that is scrolled out of view but is still technically viewable since we attempt to determine if a field is obscured by another field. (The same result can be achieved with fields positioned within the viewable portion but with another element covering them with absolute positioning. Just put a box over the sneaky fields whose background matches the background of the page, and the user can't see them.)

    One of the things 1Password can do that isn't possible with browsers is maintaining multiple identities. So, if you are on a new site you haven't used before and it asks for a name and email address, you could have a special identity that only has those fields filled in. This does mean maintaining two identities, but hopefully your name and email address aren't changing too often. :)

    I hope that helps explain things a little bit. Like I said, we're considering how we should respond to this and how we can make 1Password not fill these kinds of fields without sacrificing its overall success rate. I don't have much more to share about that right now, but it is something we're discussing. But, as ever, technology can only protect us so far, and it is still each user's responsibility to make sure they're taking reasonable precautions like keeping systems and software updated, not installing software from untrusted sources, and only providing information to trusted sources that you have sought out. If you take those steps, many common security issues can be thwarted before they have a chance to impact you.

    Let us know if you have any additional questions or concerns.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas


    1. We distinguish fields as visible, meaning they have a size and take up space in the box model, and viewable, meaning we're confident the element is at least partially visible to the user and not obscured by another element. The elements in the phishing page were visible because they still had size and took up space in the box model, but were not viewable because their position is entirely outside of the portion of the page you would ever see. We don't use the term "hidden" when describing these considerations of visibility or viewability because a "hidden" field is a specific kind of field that 1Password does not fill anyway. ↩︎

  • AGAlumB
    AGAlumB
    1Password Alumni

    @aj_lawrence: Apart from Jamie's excellent explanation, I also wanted to add that phishing is a significant, simple reason why something like Social Security Number is not part of the Identity template. It comes up from time to time, as certainly it would be useful to fill on occasion, but in the vast majority of cases we neither need or want to enter information with that level of sensitivity into a contact/billing form without careful consideration. Cheers! :)

  • Fooligan
    Fooligan
    Community Member

    I just ran into this article where auto-fill could be tricked into leaking information through hidden form fields. Here are some questions that I have for this discussion:

    • Are there any safeguards that 1Password implements or could implement to protect against leaking sensitive information?
    • Can you identify hidden fields and alarm the user?
    • Can a third party inject this type of attack into a website without the website owner being aware?

    I think the main concern is whether a third party can inject hidden fields on a site and redirect the data to an outside location. Is that even possible? The main concern for user data would be credit card and identity information that the user does not want to share when filling in forms on any web site (SSN, date of birth, preferred username, etc). I don't think there is much concern for compromised passwords since the web site/hack could only get information that is stored for the compromised site.

    I thought a discussion in the forums or possible a blog post from the Chief Defender Against the Dark Arts on the subject would be interesting.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • sjk
    sjk
    1Password Alumni

    Hi @Fooligan,

    I've moved your Browser autofill used to steal personal details in new phishing attack post into this other discussion about that topic. I hope earlier responses from Jamie and Brenty here are helpful, and be sure to let us know if they haven't answered all your questions.

  • pervel
    pervel
    Community Member

    @Fooligan:

    I think the main concern is whether a third party can inject hidden fields on a site and redirect the data to an outside location. Is that even possible?

    Yes, it's possible if the site in question has been hacked somehow. But remember that in this situation it doesn't really matter if you're using a password manager or not. Anything you type into a hacked site can be misused by the bad guys regardless of how you entered it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Excellent point. It's good to think about these things though to stay vigilant online. And fortunately 1Password doesn't do autofill in the first place; it only ever enters information into a web form when you tell it to. :sunglasses:

  • Tom Harrison
    Tom Harrison
    Community Member

    There's a great post on Medium regarding Chrome autofill feature, and how forms can use hidden, invisible, white-on-white and other ways to have chrome fill in fields without the user knowing.

    One of the replies asks whether password managers like 1Password may be susceptible to the same hack. I wasn't sure, and it wasn't clear from this support page.

    Let me know and I'll reply, or someone from AgileBits could reply to the thread.

    Tom Harrison
    Lifelong 1P Evangelist :-)


    1Password Version: 6.5.3
    Extension Version: Not Provided
    OS Version: OSX 10.12
    Sync Type: Not Provided

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Tom Harrison: Thanks for reaching out! I hope you don't mind, but I've merged your comment with an existing discussion on this topic. You'll find some great information above, but I wanted to at least mention two key points:

    1. 1Password doesn't autofill; it only ever interacts with a form when you tell it to.
    2. 1Password does try to fill "hidden" (to you) fields in some cases currently (e.g. popover login forms), but it's something we're continuing to evaluate.

    I've replied there as well. Thanks again for bringing this up, and for both supporting what we do and caring about security in general. Be sure to let us know if you have any other questions! :)

  • Tom Harrison
    Tom Harrison
    Community Member

    Wow -- sorry I missed the original thread -- as always, 1P is on top of things.

    A couple thoughts:

    • Trust is something those of us who spend our lives thinking about software and security pay attention to. It is not what most people pay attention to. Features such as Watch Tower (or Google's scary warnings about bad SSL certs, hacked sites, phishing email, etc.) are what get attention. To be sure, adding any more fear or friction to 1Password is undesirable, but if you're getting it right, web designers will stop doing all the stupid tricks they had to to make old browsers do new tricks. 1P has access to the DOM, and you're already doing some analysis.
    • You know whether a site has been seen before, and do your best to identify sign-up, log in, change password and other types of page. When prompting to save or update credentials, or fill fields, the first time list the fields being sent -- Chrome sort of does this by adding a yellow fill, but something simple like a list of the values added might help, especially if they are sensitive
    • Sites change a lot, of course, but you can keep track of whether a page is the same as it was last time. It's a clue, right?
    • You have to be able to make some sort of assessment -- a score -- of the legitimacy of a given site. If you're filling a field on a known and trusted site, you can be less suspicious of things like overlaid fields; less trusted perhaps more likely to raise an alarm.

    Cheers!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Trust is something those of us who spend our lives thinking about software and security pay attention to. It is not what most people pay attention to. Features such as Watch Tower (or Google's scary warnings about bad SSL certs, hacked sites, phishing email, etc.) are what get attention. To be sure, adding any more fear or friction to 1Password is undesirable, but if you're getting it right, web designers will stop doing all the stupid tricks they had to to make old browsers do new tricks. 1P has access to the DOM, and you're already doing some analysis.

    @Tom Harrison: Ha! I hear you! Some days it feels like one step forward and two steps back, but I think overall there's progress being made, if for no other reason than companies don't want to be the target of a mass exodus and/or class action lawsuits.

    You know whether a site has been seen before, and do your best to identify sign-up, log in, change password and other types of page. When prompting to save or update credentials, or fill fields, the first time list the fields being sent -- Chrome sort of does this by adding a yellow fill, but something simple like a list of the values added might help, especially if they are sensitive

    Indeed, we've been playing around with a number ideas, most of which are pretty gross from a user experience perspective (overlays, prompts, etc.) But I think in time, with continued discussion both internally and with passionate users like you all, we'll find a middle ground that can help rather than hinder.

    Sites change a lot, of course, but you can keep track of whether a page is the same as it was last time. It's a clue, right?

    You have to be able to make some sort of assessment -- a score -- of the legitimacy of a given site. If you're filling a field on a known and trusted site, you can be less suspicious of things like overlaid fields; less trusted perhaps more likely to raise an alarm.

    This isn't something that 1Password is able to do even at a rudimentary level right now, so it would be something that needs to be purpose built from the ground up. But if we look at other benefits we can use some sort of website database for, it becomes more reasonable to do so. I'm thinking password requirements, maybe site-specific login templates. But anything done in this area will also need to take privacy into consideration, as no one wants AgileBits to have access to user browsing habits. That's fundamental to the 1Password philosophy. Food for thought.

  • Tom Harrison
    Tom Harrison
    Community Member

    Excellent food! As a long time user, I know that AgileBits has the larger picture in mind. Thanks for your thoughtful response.

  • AGAlumB
    AGAlumB
    1Password Alumni

    You're totally welcome! I always appreciate the opportunity to talk someone's ear off about something I care about, and that we do here at AgileBits collectively. hehe

  • 365nice
    365nice
    Community Member

    A useful addition would be if 1Password communicated how many fields it has filled in - at least as a user I can see what it did vs what I think it should have done (not perfect I agree - but if you fill out 20 fields and I expect 2 then it's a warning).

    Additionally - you could keep history of this per login and if it suddenly jumped from
    3 to 20 you could warn me (again not perfect, but helpful as the site may have made a change which presumably they might have comminuted).

    This whole thing has made me rethink your password regen tool - I think I will manually copy generated passwords now (possibly this feature should do as above too - filling out more than 2 password folds would be deeply suspicious?)

    Tim

  • AGAlumB
    AGAlumB
    1Password Alumni

    A useful addition would be if 1Password communicated how many fields it has filled in - at least as a user I can see what it did vs what I think it should have done (not perfect I agree - but if you fill out 20 fields and I expect 2 then it's a warning).

    @365nice: That's an interesting idea. My first thought is "I would totally not bother to count", but you're right that in cases where it's 2 versus 20 that's an immediate red flag.

    Additionally - you could keep history of this per login and if it suddenly jumped from 3 to 20 you could warn me (again not perfect, but helpful as the site may have made a change which presumably they might have comminuted).

    I think this does become burdensome though, both for 1Password to track, and for the user to care about. But thinking outside the box like this may help us come up with something user friendly.

    This whole thing has made me rethink your password regen tool - I think I will manually copy generated passwords now (possibly this feature should do as above too - filling out more than 2 password folds would be deeply suspicious?)

    Well, there are plenty of sites that use multiple fields like this. It's a bit of a mess usually, but unfortunately there's still a lot of variation and non-standard login procedures that may cause false-positives...and we have to be careful of that since the user will get fatigued and just ignore it (think Windows UAC prompts and antivirus). Food for thought though!

  • 365nice
    365nice
    Community Member

    I think you guys can look at things like this - find anomalies and flag them.

  • jxpx777
    jxpx777
    1Password Alumni

    These are all interesting ideas, folks. Thanks so much for sharing them. We're still discussing things and deciding what actions to take. As ever, we take all our users' security and privacy very seriously, not least of which because that means our own security and privacy as well. :)

This discussion has been closed.