1PW7 Windows - opening pswd secured PDFs in gmail triggers 1PW auto-save feature

I received a password protected PDF file. I opened the PDF from Gmail in a Firefox browser session. Entering the password to open the PDF file triggered the 1PW login auto-save.

I wasn't sure if this is expected behavior, but it seemed a bit odd to me. I don't think 1PW4 behaves this way, and while I guess I could see a case for wanting to save password protected files' password, it does seem like a great way to bloat a vault with junk.

Thoughts?


1Password Version: 1Password 7
Extension Version: Not Provided
OS Version: Win8.1
Sync Type: Dropbox

Comments

  • Hi @Superfandominatrix,

    Thanks for reporting this.

    1Password 4-7 for Windows reuses the same 1Password browser extensions, 1Password app is being told by the 1Password extension that there is data to be saved.

    The 1Password extension will attempt to auto-save any open text field and a password field it can detect, and so, the question is why does it think your PDF file was a website that has a password field to be saved.

    I just tried to reproduce this with my own PDF that's password-protected, directly opened from Gmail site in Firefox on Windows did not prompt any auto-save dialog.

    Are you able to reproduce this again? Can you give more details like if you do save it, what address did it save?

  • Superfandominatrix
    Superfandominatrix
    Community Member

    @MikeT I was able to replicate and in doing so, I recalled why I decided to report this. The nasty part of this behavior is that the prompt initially indicates to "Update Existing" Google Account details. The Google login entry is probably the most important one in my vault with critical two factor authentication info, one time break in codes, etc. I don't want to accidentally overwrite this information with PDF attachment password info. Here is the password save prompt. I've had to crop closely because this event occurred with tax information:

    I clicked "Create New", and this is the image of the data it saved. The obfuscated password is the PDF password and I can't provide it because it's personal information:

  • Hi @Superfandominatrix,

    I've moved this thread to our Saving and Filling in Browser forum, so our extension team can investigate this and figure out what's going on. This isn't normal at all but I haven't been able to reproduce this at all.

    /cc @littlebobbytables

  • Superfandominatrix
    Superfandominatrix
    Community Member

    @MikeT @littlebobbytables I am not able to replicate if the PDF password is cached by the browser or 1PW7 already has the record recorded. For me to replicate, I have to make sure the entry is deleted in 1PW7, let 1PW7 backup zip creation and zip file Dropbox syncing complete, clear Firefox cache and restart Firefox.

    Once I reopen Firefox from a clean state, open the email with the PDF attachment, click attachment to open the PDF file in same FF tab (not clicking to download or save to Google Drive), then enter the PDF password within the FF tab, I am reliably able to cause the 1PW7 login auto-capture to pop up.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @Superfandominatrix,

    So I can reproduce although I see slightly different behaviour in 1Password for Mac over 1Password 6 for Windows. I'm still prompted but on the Mac it defaults to wanting to save a new Login item rather than update an existing one. Would I also be correct that you instinctively press enter after typing the PDF password rather than clicking on the submit button? My findings also discovered we don't react when clicking the decrypt button, only if the enter key is used. This difference is because we do have separate checks depending on which route the user has gone down and often they're unable to infer the same details. I was able to reproduce because I do instinctively go for the return key myself.

    Due to the presence of the password field we definitely want the check to pass at least partially pass but it would be nice if there is a way to recognise this for what it is and realise that it is very unlikely the user will want this stored in their vault. Thank you for bringing this to our attention. I confess I didn't even know the likes of gmail allowed you to access password protected PDFs in this manner.

  • Superfandominatrix
    Superfandominatrix
    Community Member
    edited March 2018

    @littlebobbytables This is the first time I recall seeing this behavior in Gmail too. Yes, I never click buttons if I can keyboard click. Hate mouse usage in general and the trackpad mouse on my laptop specifically :-) I'm going to press the space button on my keyboard to submit this post~

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Superfandominatrix: Ohhhhhh of course!!! If you're entering a password there, it makes sense that 1Password would offer to save that. In most cases PDFs are not password protected and accessed on a website, so that was pretty baffling. You can always click "Not now" or the arrow to tell 1Password you don't want it to offer to save at that site, but ultimately we do want 1Password to at least try. This may help others in the future though. Thanks for bringing it up!

  • Superfandominatrix
    Superfandominatrix
    Community Member

    @brenty Yeah, the thing that put me over into "report this" was that 1PW7 was asking me to update my existing Gmail entry. I can see maybe wanting to have file passwords stored into a vault, but not to overwrite the gmail account details. As @littlebobbytables indicated, the Mac version is suggesting a new login be saved. The Mac version's event flow makes more sense and isn't as risky a mis-click.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Superfandominatrix: That makes perfect sense, and I think you're right to push back on this. Honestly my only real concern either way is that 1Password doesn't ignore the password. So in that regard I think this is okay. It is much worse for someone to lose a password because 1Password doesn't prompt at all than to offer, even if the person mistakenly updates the login, because it will have the password history still — and of course the user can always click "Not now" if they don't want to in the first place. But yeah, I can see where you're coming from. I'm not sure it's something we can work around, but we'll see. Thank you! :)

  • Superfandominatrix
    Superfandominatrix
    Community Member

    @Superfandominatrix Retested this matter on 1PW7 v7.0.539, and I am still prompted to Update Existing log on instead of prompting to save a new entry. Just FYI~

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for following up! We're working to consolidate things cross-platform, and while it will probably be a while before that's done, that should allow for more consistency in the browser. IN the mean time, even if you do update an existing login, you can always grab the old password from the password history if needed. Cheers! :)

This discussion has been closed.