Data leak across multiple Chrome profiles [Fixed in BETA-16]

2»

Comments

  • @mikeyh,

    If you tell 1Password to try to fill a Login item it is going to make a best attempt at doing so. We have to do things like that because some web developers do some arguably very strange things, and we can’t possibly account for every case. So we make educated guesses as to where the information should go.

    1Password doesn’t fill anything unless you ask it to.

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben you never did seem to respond to this:

    Also need to know if this is a 1Password 7 beta app or 1Password extension beta issue (or both) as I need to revert to an older version or stop using 1Password.

    Any comment? I am slightly worried that people are discovering bugs like this as to me this seems like a very severe bug for a password manager. I'm considering switching back to v6 so I'd like to know if this is a v7 bug or an extension bug

  • AGAlumB
    AGAlumB
    1Password Alumni

    @whiteblade: I'm sorry, as I missed that as well. This issue was with the 1Password 7 beta. The apps handle all of the filling logic, not the extensions. But, as noted previously, this was fixed in in beta 16. Thanks for the poke, and again, I'm sorry we didn't reply sooner.

  • My apologies as well for the oversight.

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben

    If you tell 1Password to try to fill a Login item it is going to make a best attempt at doing so. We have to do things like that because some web developers do some arguably very strange things, and we can’t possibly account for every case. So we make educated guesses as to where the information should go.

    It certainly feels to me that the logic for this has changed between v6 and v7 for the worse. I used to never have issues with stuff getting filled in when I didn't want it to previously (unless it was on a site with multiple fields such as name, address, credit card - and then 1password would sometimes attempt to fill the name with my username when I was just trying to bring up mini to fill the credit card).

    Now even on your own site at https://discussions.agilebits.com if I call up mini with the password it thinks it is filling my info somewhere so it doesn't bring up mini. Not to mention that it must be filling a hidden element (as I can't find anywhere that's been filled) which is worrying in itself.

  • I’ll bring the point up with the team. Thanks. :)

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben Any update on this situation?

  • AGAlumB
    AGAlumB
    1Password Alumni

    As mentioned in the title, this issue was fixed in beta 16. Cheers! :)

  • mikeyh
    mikeyh
    Community Member
    edited May 2018

    I certainly do not consider the full issue fixed.

    The Google Docs example where your email is leaked into the title of an active document should have been a strong enough example of the full 1Password defect.

    Here is a another simple example of why pasting usernames into the first random text input field in a page is just stupid for a security focused product.

    Visit a page of a website that uses a separate login url /login with NO username or password input fields on home page.

    Use open and fill which was saved with username and password details for /login page.

    1Password pastes username into first text input filed on page which just happens to be a third party search with auto complete that sends data to an external server.

    Thanks AgileBits for just leaking my email address to a third party server.

    This applies to any other similar site where you could be pasting email addresses into any random text input field with no idea what the consequences are.

    Just because you asked 1Password to open and fill on a page with no username and password doesn't mean it should jump off the bridge.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mikeyh: The only way that happens is if you tell 1Password to fill on the page. Again, if you don't want login credentials filled into a webpage, don't tell 1Password to do so. You have the power.

    The issue you reported was data being filled in one profile also being filled in another. That's the bug you reported. Thank you for doing so. It's been fixed.

  • closed because this discussion has moved to a different thread.

This discussion has been closed.