Fill weak matching may paste username / email into random input text field

mikeyhmikeyh Junior Member
edited May 2018 in Mac Beta

Splitting this off from: https://discussions.agilebits.com/discussion/comment/433720/#Comment_433720

If there are no password input fields on a page then 1Password fill may leak your username / email address by pasting it into a random text input field on the page.

The saved URLs and web form details are simply ignored with this weak matching.

There is no option to specify that the saved page URLs and web form fields must be honoured for high security sites.

Go to any site which does NOT have an embedded login form with an input password field in the page.

Save a login on the actual login page eg that might be /login with fields username and password in saved form details.

Logout and attempt to use fill on any page other than the /login page.

1Password will paste your username / email address into a random input text field on the page not caring about the consequences.

Sometimes this might be a hidden field or off screen that you cannot see so it look like 1Password did nothing.

This could also be a third party component like a search form using an external API for auto complete. 1Password just leaked your username / email to a third party server as a search term.

Another example is multiple accounts on the same server or multiple services on subdomains.

If you happen to have a shared Google Doc open and you try to fill a different Google login thinking 1Password would open your saved login URL (or even just clicked / double clicked accidentally in mini) then 1Password will paste your username / email into the Google Docs title instead leaking it to everyone including anonymous people using a public link.

This kind of guessing logic is just dangerous for a security product even if you have checks which try to avoid scenarios like search fields. You can't check for every possible language and naming convention.

There should be a high security option for logins that disables this kind of weak matching.


1Password Version: 7.0.1
Extension Version: 4.7.1.4
OS Version: OS X 10.13.4
Sync Type: Not Provided

Comments

This discussion has been closed.