In patreon.com password-reset flow, 1password changed my username to a guid

gthb
gthb
Community Member
edited September 2020 in 1Password in the Browser

I went through the forgotten-password flow on patreon.com, where I already had a password in 1password that wasn't working for some reason. I clicked the link in the do-you-really-want-to-reset email from Patreon, accepted the new password suggestion from the Firefox 1password extension, and answered yes to its “Update password?” question, and the reset-password operation worked just fine. But my 1password entry for Patreon had now had the username (my email address) overwritten with a GUID. Not the password I was setting, and not a GUID that I'm aware of being used anywhere else. I'm guessing it's an underlying account ID that's present in a hidden field in the patreon.com web form, and the 1password extension mistook it for a changed username.


1Password Version: 7.6
Extension Version: 1.21.0
OS Version: macOS 10.15.5
Sync Type: 1password.com
Referrer: forum-search:reset password guid

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @gthb ,
    Thanks for reporting this.

    Can you please try and see if you can reproduce the issue once more or if it was a one time glitch?
    If you've managed to reproduce it again, kindly provide me with exact step-by-step details on how to reproduce it here.

    Thank you :chuffed:

  • gthb
    gthb
    Community Member

    Hi — yep, it reproduces consistently. Steps:

    1. Have an account on patreon.com
    2. Log out of it if needed
    3. On patreon.com click “Log in”
    4. Click “Forgot password?”
    5. Enter email address and click “Reset Password”
    6. Receive the email and click the link
    7. In the “Password Reset” form, click the 1password icon, “Suggestions -> Generated Password”, and “Use Suggested Password”
    8. Select “Update Saved Login” and click “Update”
    9. Click “Reset password”
    10. Click “Log in”
    11. In the login form, click the 1password icon, and note that the suggested 1password entry for Patreon now has a GUID showing, instead of your email address
    12. Open 1password itself and observe that the Patreon entry indeed has username set to this GUID, and your email address is gone. In “View Item History” you can see the previous state had the username set to your email address.

    Cheers,
    Gulli

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for the steps @gthb .

    However, I wasn't able to reproduce it yet again. The password changes properly and the username in my login entry remains untouched.
    Are you using the English version of the website?

  • gthb
    gthb
    Community Member

    Yes, English version.

    Some more information: I noticed that the GUID is actually the same each time ... and googling it, I get this search result: https://urlscan.io/result/758d90cb-94c2-466b-a799-d322d5d4ebd2 and sure enough, in transactions there, Patreon appears to send a tracking request to https://tr.snapchat.com/p?pid=b8921e43-71f6-4757-b230-86c69147279c generally, and I see in Firefox dev tools that it does that also from my browser (including a bunch of other URL parameters) when I visit patreon pages. So I'm guessing this GUID is a tracking ID for patreon itself in this Snapchat API. And somehow it's mistakenly making its way into the 1password FIrefox extension's update-password transaction.

  • gthb
    gthb
    Community Member

    That tr.snapchat.com request is being blocked by the Privacy Badger extension in my Firefox — maybe that's related somehow? (That would explain why this doesn't reproduce for you).

    The initiator of that request is https://www.googletagmanager.com/gtm.js?id= and in turn the initiator of that script is a script tag in the head element of the Patreon page.

    Hope that helps!

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for the additional valuable info, @gthb .

    I was testing in Chrome at first, so now I tested with Firefox but still couldn't reproduce. You found some interesting stuff here, can you please try disabling all other extensions except for 1Password and see if you are able to reproduce? The main culprit for me is Google Tag Manager, but I'd like to first test in a cleaner environment.

    If things work properly without any other extensions, you can start turning them back on one by one, but test again after each one you turn on so we can pinpoint the culprit.

    This is just out of curiosity and not for actually fixing anything since this is probably not something we'll be able to fix on our side (especially if another extension is modifying the webpage and adding variables to fields etc), but it will help us make sure this is indeed not a bug in our extension.

  • gthb
    gthb
    Community Member

    Hi. I disabled all add-ons other than 1Password X and still got the same behavior.

    Then today (finally) I applied the pending update to Firefox itself by restarting it, and then tried again. Same behavior, still with no other add-ons enabled. So it does seem to be a bug in 1Password X.

    The “About Firefox” box now shows version “80.0.1 (64-bit)”, and the 1Password X add-on shows version 1.21.0. I'm on a Mac running macOS 10.15.5. Anything else you need, fire away. :)

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @gthb ,
    Thanks for the update.

    I tried to reproduce once again, without success. We have to find a way to reproduce this here in order to fix it (if it is indeed an issue with 1Password).
    My setup:

    • Mac OSX 10.14.6
    • Firefox 80.0.1
    • 1Password X 1.21.0

    The steps I took:
    1. Went to Patreon's login page.
    2. Clicked the "Forgot password" button and input my email.
    3. Got an email with a reset link. Opened it in Firefox and generated a new password with 1Password X, then updated the existing login.
    4. The login was updated with the new password, the username remained untouched.

  • gthb
    gthb
    Community Member

    Those are exactly my steps, the only difference I see is the OS version (but that seems unlikely to be what makes the difference).

    For another data point, I tried to reproduce this in Google Chrome (85.0.4183.83) where I also have 1Password X 1.21.0, and disabled all other extensions. I did not get the erroneous behavior there (and still I verified in the Network tab that the same tr.snapchat.com request gets sent, with that same GUID).

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited September 2020

    Care to try a new user profile in Firefox, @gthb ?

    A new user profile is like a new install of Firefox, without having to reinstall it :pirate:
    If this issue doesn't occur in a new user profile in Firefox, then the issue is local to your main profile and its settings/cache.

    Worth a try.

  • gthb
    gthb
    Community Member

    Oh right, hadn't thought of that! Just did that now, fresh new profile, added the 1Password X extension, went through the above steps, and yep, username gets changed to that same GUID.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hmm... I'm gonna try get someone else to try and reproduce this.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @gthb ,
    We can't reproduce it here, so we'd like you to collect some details from the change password page that you are getting, perhaps it is different than the one we're seeing here.

    1. Enter about:debugging#/runtime/this-firefox in your address bar and press Return or Enter.
    2. Click Inspect next to 1Password X.
    3. Click the Console tab in the Developer Tools window.
    4. Paste the following command into the console and hit Enter: localStorage.setItem("devtools", "Y")
    5. Quit Firefox completely, then relaunch it.
    6. Get to the change password page on Patreon, then before autofilling it, right click the 1Password X extension icon on the top right corner of Firefox and select "Developer Tools" -> "Collect page details".
    7. Copy the page details to a text file and send it over to support+extensions@1password.com, alongside a short description and a link to this discussion so we can connect the dots quicker.

    Hopefully we'll find something there :)

  • gthb
    gthb
    Community Member

    Done!

  • ag_ana
    ag_ana
    1Password Alumni

    @gthb:

    Thank you! I confirm that I have managed to locate your message in our system :+1: We will take a look and someone will get back to your email as soon as possible.

    Thank you for your patience!

    ref: NEJ-44361-933

This discussion has been closed.