TextExpander grabs most recently used password from 1Password....

schralp
schralp
Community Member

One of my TextExpander (v6.2.2.1) snippets pastes the last used password from 1Password rather than the intended phrase. Needless to say, this is a serious security concern. Other applications shouldn't have access to those protected items. This needs to be addressed ASAP and patched immediately. If anyone else has this issue, please chime in. Thanks.


1Password Version: 6.8.1
Extension Version: 4.6.11
OS Version: 10.12.6
Sync Type: iCloud

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2017

    @schralp: Unfortunately this isn't something 1Password has any control over. You can set 1Password to clear the clipboard contents more quickly (Preferences > Security), but 1Password cannot stop other apps from accessing your clipboard. There is an unofficial standard (org.nspasteboard.ConcealedType) that apps can adopt to ignore clipboard contents marked as "secure", but it's up to them to do so. I'm using the same version though and haven't encountered this issue with TextExpander. Do you perhaps have settings or variables you're using in snippets that cause this to happen in your case? Otherwise the only way to ensure that other apps cannot access sensitive data is to not put it on the clipboard in the first place.

  • schralp
    schralp
    Community Member

    I was under the impression that 1Password bypassed the clipboard when filled directly from the extension; which is what I do. I don't ever copy and paste passwords to and from the clipboard. Nevertheless, your explanation does not seem to fit the facts. The snippet is the one I use for my phone number which I only use when filling out online forms. As such, I've always expanded several other snippets by the time I get to that field; first name, last name, address, city, state, zip....etc. Under the scenario you're describing, the problem should occur with the first snippet. However, it only occurs when I use the snippet for my phone number. I'm guessing there is some kind of bug related to the particular text of my TextExpander snippet.....but I'm not a software engineer; are you?

  • AGAlumB
    AGAlumB
    1Password Alumni

    I was under the impression that 1Password bypassed the clipboard when filled directly from the extension; which is what I do.

    @schralp: It does, but it's possible for other running apps to grab any text on the screen that you can see.

    I don't ever copy and paste passwords to and from the clipboard. Nevertheless, your explanation does not seem to fit the facts.

    Sorry for misunderstanding. I know this is how 1Password works, but then again I don't have all the facts of your particular situation.

    The snippet is the one I use for my phone number which I only use when filling out online forms. As such, I've always expanded several other snippets by the time I get to that field; first name, last name, address, city, state, zip....etc. Under the scenario you're describing, the problem should occur with the first snippet. However, it only occurs when I use the snippet for my phone number. I'm guessing there is some kind of bug related to the particular text of my TextExpander snippet.....but I'm not a software engineer; are you?

    I don't consider myself one, but I guess it depends on your perspective. :)

    Anyway, without more details it's really hard to say. I just don't have any sense of the differences between "the first snippet" and the other. Definitely helpful to know it's only one particular snippet. But I know that TextExpander makes good use of Javascript on macOS, and we're also using that for filing in the browser. It's possible there's a bad interaction there...or simply something in what you're filling with 1Password is triggering TextExpander, or vice versa. Would you be willing to share the snippet, provided it does not have anything sensitive in it? That way we can test it here to try to narrow down the cause, whether that be something in 1Password, in TextExpander, or both.

  • schralp
    schralp
    Community Member

    The snippet is 'pphonehome'; obviously it's text in a numerical field. However, I also use 'zzip' for zip code (usually immediately beforehand) and that never inputs the wrong information. It is specifically related to this one snippet but very troubling....

  • schralp
    schralp
    Community Member

    Oh, and again, I've used the snippet for many years (and have used TextExpander and 1Password for many years as well) and the problem only showed up recently.

  • ag_kevin
    edited September 2017

    Hi @schralp ,

    This is a bit puzzling. If you only fill with the extension, the clipboard is not used, but I've never known TextExpander to grab things from text fields on the screen.

    However, there is one exception. If you fill a login item that has a TOTP (Time-based One Time Password) in addition to the username and password, that TOTP value is copied to the clipboard so you can paste it into the TOTP field. The reason for this is that it's currently not possible to automatically fill TOTP values.

    Is that what you are seeing or is it a password from your password field?

    Also, can you paste the contents on the pphonehome snippet text here? (not what is replaced, but the snippet text from the TextExpander app). Obviously, if it contains your phone number, change that part to something like 1115551212 or similar, but I'd like to see the rest of the snippet text to see what it is doing.

    Thanks,
    Kevin

    ref: ZCH-37198-311

This discussion has been closed.