Pasting wrong password when iframe from a different domain

Apologies if this has already been stated before, I tried looking through and only found people stating that iframes could not be pasted into, which is not what this post is about.

I was on https://www.humblebundle.com updating my account information (linking 1Password OTP to the account) and also linking in 3rd party accounts. Steam, Twitch, and Battle.net all opened their OAuth pages in a separate tab, which 1Password was obviously able to work with perfectly.

However when I tried to link the Origin/EA account it opened the OAuth page in an iframe. When I had 1Password autofill it was able to paste the username/password into the login form, but it pasted the credentials for Humble Bundle, not Origin.

It seems that it is reading the url of the browser window, not the iframe window?


1Password Version: 7.2.2
Extension Version: 7.2.2
OS Version: macOS 10.14.2
Sync Type: My 1Password

Comments

  • brentybrenty

    Team Member

    @theoriginalbit: 1Password should absolutely not be filling login credentials for one site at another. iframes suck for a lot of reasons, but the one we're concerned about for the purposes of this discussion is that it's easy for them to disguise their origin (no pun intended). Did you actually check the code to verify that it's actually sourced from the site you think it is? If so, that's great, but almost no one else will. I believe HumbleBundle is trustworthy, but that's not the case for all websites; and even those which are could be compromised, or just display an ad or injected code due to a scripting vulnerability. We cannot defend against everything, but one thing we can do is make sure that 1Password doesn't fill into what is verifiably the wrong website. In cases where you absolutely need to fill login credentials at different websites, you can add multiple URLs to that login. But in a case like this, where you presumably aren't doing this frequently, it's not too difficult to copy and paste in the mean time, if you're certain that's what you want to do. Hopefully EA/Origin will follow the others' lead -- similar to what Amazon, PayPal, and many others do -- to handle this without potentially exposing your account credentials to 3rd parties. I'd trust Humble, but there are plenty of other gaming websites where I would be wary of doing the same.

  • Yeah the code checked out. Humble is trustworthy, as is Origin. 1Password ext definitely pasted the humble credentials into the iframe and not the host site. The iframe reported the origin url, and the window reported the humble url.

    I definitely had the Humble password pasted into the Origin login form; I know this because I use different emails for both accounts. I (obviously) after discovering the mistake manually copy/pasta'd the login creds into the iframe. Not too sure what went on there. Definitely not worth adding the humble url to the origin account, especially since it was simply a one-time thing to link the accounts.

    TBH everything I login to always has been either a normal tab, or popup window (like PayPal), so I've never used 1Password with iframes before; I wasn't sure whether it was an issue in the extension or website.

    Are there any further steps you'd like me to try that might help to determine if this is an issue with 1Password or the website? i.e. performing the workflow again with screenshots, or logs (perhaps a sysdiagnose).

  • brentybrenty

    Team Member

    Yeah the code checked out. Humble is trustworthy, as is Origin.

    Sounds good. We just can't expect everyone to do that. :)

    1Password ext definitely pasted the humble credentials into the iframe and not the host site. The iframe reported the origin url, and the window reported the humble url.

    That's ideal. We just don't want 1Password filling anything unless it can be verified that it's filling in the right place. It's not always a great user experience, but it's better for it to fill nothing at all than to fail badly and cause problems -- like getting you locked out of an account.

    I definitely had the Humble password pasted into the Origin login form; I know this because I use different emails for both accounts. I (obviously) after discovering the mistake manually copy/pasta'd the login creds into the iframe. Not too sure what went on there. Definitely not worth adding the humble url to the origin account, especially since it was simply a one-time thing to link the accounts.

    Yeah that was my thought, but ultimately it's your call.

    TBH everything I login to always has been either a normal tab, or popup window (like PayPal), so I've never used 1Password with iframes before; I wasn't sure whether it was an issue in the extension or website.

    Ahh I see! I can't say it comes up often, but it does. It was a good idea to reach out.

    Are there any further steps you'd like me to try that might help to determine if this is an issue with 1Password or the website? i.e. performing the workflow again with screenshots, or logs (perhaps a sysdiagnose).

    The specific URL or (failing that) a screenshot of an "Inspect Element" on the password field in question would be great. Thank you! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file