Password transfer from email to survey form

Brian987
Brian987
Community Member

Just bought some shoes from Rieker online. They emailed me imviting me to fill out a survey on my purchase. I'm doing this on my Ipad.
On their email, I "copy" the product code, select the "take survey" option, and the form opens in Safari. I "paste" the product code in the title box, but..........
Instead of the product code appearing (an 8-digit numeric code) I see to my amazement, and shock, one of my passwords stored in your app (which I have been happily using for quite a while). The password appeared in clear text. This one is 12 characters, a mix of upper and lower case, plus numbers and other characters, all quite random. It is used in only one of the 72 entries I currently hold in this app.
I find this deeply concerning, as you can imagine.
I've erased the password, and repeated the copy-and-paste routine, and it worked properly.
I have completed and submitted my review to Rieker.
Finally, I tried again to reproduce what happened, but the tab on the Rieker email now tells me "you have already submitted a review"!
Please can you help/advise?
Many thanks
Brian M Barber


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Password transfer from email to survey form

Comments

  • Hi @Brian987

    Could you please check in the Settings app under Passwords & Accounts > AutoFill Passwords to see if you have iCloud Keychain enabled? If you do please disable it.

    Thanks.

    Ben

  • Brian987
    Brian987
    Community Member

    Hi Ben, Thanks for getting back to me. I think you must be talking about a more modern Ipad than ours are. Mine is an original, about 6 years old. It doesn't have the selections you refer to in "Settings". However, my wife's Ipad Air (first version) does have something similar; not "Autofill Passwords" but I found my way to iCloud Keychain, and it was already disabled. In fact, the acces to the Cloud has never been enabled. It could have been relevant to my experience, as both our Ipads are registered to the same two email addresses, but it seems that the explanation for my symptoms must lie elsewhere.
    Any other thoughts?
    Thanks,
    Brian

  • Brian,

    Thanks for the additional information. There are three ways that 1Password can interact with web pages:

    So, a few questions that I would have:

    • Were you using any of the above mentioned features at the time this happened?
    • Did the password that you saw on the Rieker web page match a Login item that you have saved for Rieker? If not, does the Login item that password is associated with have an appropriate website field specified on it?

    1Password only fills Login items where the URL in the website field matches the URL of the page you're currently viewing. If you were not using any of the above features and do not have a Login item with that password on it that has a website field that matches the page you were on then I'm struggling to figure how what you saw could be associated with 1Password.

    Please let us know.

    Ben

  • Brian987
    Brian987
    Community Member

    Hi Ben,
    Sorry for the delay; I'm still getting used to finding this Forum page to see if you have sent a reply.
    To answer your questions:
    No, I wasn't using any of the three features.
    No, the password that I saw on the Rieker survey page is unique to the one, financial account where it is stored. I have not entered a web address for any of the logins (now there are 73), as I keep a separate register of the ones I use frequently; on my Ipad they are stored as Bookmarks ( this includes the financial website in question, but not the Rieker website).
    I can see this is difficult, and I am completely baffled and disturbed. I fondly imagined I had created a really secure password. I only ever transfer it by copying the unrevealed password, and pasting it into the 'log in' page of the financial website. And suddenly, there it is in full view!
    I do hope you may find a solution.
    Best wishes
    Brian

  • @Brian987

    You mentioned that this happened while attempting to paste... in speaking with one of my colleagues I was reminded of a feature that may explain what you saw. 1Password for iOS has a feature where if you copy the username from a record and then at some point switch back to 1Password it copies the password from that record automatically. Does that possibly explain the behavior you saw?

    Ben

  • Brian987
    Brian987
    Community Member

    Hi Ben,
    I don't think so, although its an interesting idea.
    I should explain that the financial website whose password was "lifted" was Fidelity. The survey form was an attachment to an email from Rieker. The number I was trying to copy and paste was the product code in the email for the shoes I had bought, and nothing to do with any record in 1password; I haven't even made a record of the Rieker account, and there was no requirement to supply a user name in order to complete the survey. I can't really seehow there could have been any connection from and email from Rieker with a password in the Fidelity record.
    Somewhere there must be an explanation?!!
    Best wishes
    Brian

  • AGKyle
    AGKyle
    1Password Alumni

    Hi @Brian987

    Ben asked me to jump in here. I'm on both our iOS team and our security team.

    First I want to say it's unlikely we find any definitive way to explain this since we don't keep a record of any of this in the logs for 1Password. So we can't reference anything to indicate what may have been done. Best I can do is offer up the ways that items can be copied to the clipboard.

    There are only 5 ways that I can think of that causes anything to be in the iOS clipboard, as related to 1Password:

    1. You explicitly tap a field and select copy (I'm going to call this "explicit copy," it falls under tapping on a field, swiping to copy, and other selection of an explicit copy button)
    2. You tap a field as part of an item in the Favorites screen. Then you can leave 1Password and come back and within a certain time frame it'll copy additional fields to make copying successive fields easier. So the first field is explicit but subsequent fields are automatic upon launching.
    3. Generating a new password will also copy to the clipboard, as will saving a new item
    4. If Universal Clipboard is enabled and you copy from another app you may end up with that clipboard being available on other devices.
    5. TOTP codes can be copied automatically as part of Password AutoFill. This isn't a password, but it's another thing that we can automatically copy so I'm listing it here.

    All of our copying goes through the same method so looking at the code these are the only ways I'm seeing that it can happen.

    If you goto settings > security can you check whether "Clear Clipboard" is enabled? If not, any of the above is likely. If it is enabled I think it's far more likely it was Universal Clipboard.

    If you can provide exact steps to recreate it in some other way that would be a lot better as I can take a look at that specifically. But really, under the above information, you'd only have a small number of potential avenues of it possibly appearing in the clipboard unexpectedly.

    Hope that gives you some additional information and maybe some theories on what might have happened.

  • Brian987
    Brian987
    Community Member

    Hi AGKyle,
    Thanks for your comments. I am afraid you are rather bamboozling me, as I am not a computer expert, and am not aware (for example) of there being a clipboard (or universal clipboard) within my Ipad's facilities; I certainly haven't consciously used it!
    I have checked all 3 of our Ipads (one bought only last year), and cannot find a "security" option under "Settings"; I have looked further under "General" etc, but it seems that you might be referring to something other than what we have? So, I can't comment on "Clear Clipboard".
    All in all, I can see that between you, you have tried to advance theories to explain the cause of what I experienced, but have not been able to come up with a solution.
    I think I have explained clearly the steps I followed which resulted in a password stored in your App being displayed in "clear" in the field of a shoe supplier's survey form; this from a selection I made by 'copying' a product code displayed in the supplier's email and 'pasting' it into the field in Safari. I can add more detail to this if it is not clear in any respect. What is not in doubt (I think) is that it should not have happened! As I said in one of my earlier posts, I tried to recreate the error, but was not able to.
    I feel it is now down to 1password team to find the glitch that must exist in your software, and eliminate it. Otherwise, I am inevitably left with a feeling of insecurity.
    Sorry to be blunt, but I can't really say more.
    Best wishes
    Brian

  • and am not aware (for example) of there being a clipboard (or universal clipboard) within my Ipad's facilities; I certainly haven't consciously used it!

    There is, it may be on by default, and could easily be used unintentionally:

    Use Universal Clipboard to copy and paste between your Apple devices - Apple Support

    I have checked all 3 of our Ipads (one bought only last year), and cannot find a "security" option under "Settings"; I have looked further under "General" etc, but it seems that you might be referring to something other than what we have? So, I can't comment on "Clear Clipboard".

    The setting Kyle was referring to is within the 1Password app. You'll find the settings tab at the bottom of the 1Password screen when 1Password is unlocked.

    I think I have explained clearly the steps I followed which resulted in a password stored in your App being displayed in "clear" in the field of a shoe supplier's survey form; this from a selection I made by 'copying' a product code displayed in the supplier's email and 'pasting' it into the field in Safari. I can add more detail to this if it is not clear in any respect. What is not in doubt (I think) is that it should not have happened! As I said in one of my earlier posts, I tried to recreate the error, but was not able to.

    The best explanation I can offer is that it seems what you thought was on the clipboard either was not, or was overwritten, and so when you pasted it what was actually on the clipboard at that time was pasted.

    I feel it is now down to 1password team to find the glitch that must exist in your software, and eliminate it.

    I'm sorry but I don't believe I can agree that what you've described necessarily indicates a 'glitch' in 1Password. I haven't seen any evidence of that. As you indicated above it doesn't appear 1Password was even running when this happened ("No, I wasn't using any of the three features."). Certainly if it could be shown that there was a problem where 1Password was somehow filling when it shouldn't be that would be an issue we would take seriously. We haven't been able to reproduce the problem you've described based on the information we've been provided. I haven't found any way to make what you've described happen other than through the scenario I offered above regarding the clipboard contents.

    Sorry to be blunt, but I can't really say more.

    Likewise. Without anything more concrete here there isn't anything more I can add. We've outlined all of the conditions under which 1Password fills items, and under what conditions a password from 1Password could end up on the clipboard. I'm not sure what beyond that you're looking for from us at this point.

    Ben

This discussion has been closed.