Does 1Password fill out hidden form fields?

In the identity profiles, many information is stored. When we fill the identity, it fills out the fields that are shown on the webpage. Even though my email ID and name remains same, I do not want to give some other details such as address and all while filling out signup forms in certain websites. 1Password visually shows which fields it has filled by making the field tinted blue. That's a great feature. But what happens if some form fields are hidden in the webpage, or that uses trickery of having the field but getting obscured by an blank image for example. Does 1password fill out those fields as well, effectively handing over some information to the website without my knowledge?

tl;dr: Does 1password fill the hidden form field if the values for those form elements are available in the identity?

Comments

  • Hello @iCloud,

    1Password does not see a website the way we see it. Instead, it looks for all input fields in the HTML structure of the website. That said, when a website shows an input field in its HTML structure, 1Password will read to see if it should fill for you or not. Even if we don't see the input field on the site, 1Password can still see it in the HTML structure and work with it. That said, I don't think a website would hide an input field since it servers no purpose. Unless a developer specifically wants to get your personal information, such as your email or home address and knows that you use a password manager application, they could develop a web page to trick you into filling in your personal information.

    A legitimate website will not do that since it could entail trouble for them. Hence, I recommend you use extensions or apps to check if a website is trustworthy or not before signing or filling anything on it.

  • iCloud
    iCloud
    Community Member

    Thank you for clarifying. My concern though is not much for login IDs, since mostly there are two field values stored for them anyways. But when it comes to filling out Identities from 1password, it occurred to me that, since there are so many default fields stored in it, which often are not needed to be filled, it may not be that safe after all to use the identities to fill signup pages, especially if the website is not a well known one.

    I think 1password's claim of trustworthiness of a website could be a misnomer in this case. Since 1password checks if there has been any password leaks to call it trustworthy, but a blog or a new startup website for example, may not have ever leaked the emails, but have ways to have extra form fields in html which are not shown! It is surprisingly easy to have form fields hidden in a html page using css property display=none. Relying on 1passwords trustworthiness claim if one uses that, or simply using 1password Identities to fill forms could make one leak their personal info unintentionally!

    tl;dr: Advice to 1Password Users: Don't use Identities feature of 1Password in new, less known websites; it could potentially leak your personal info, for no fault of 1Password itself.

  • Hello @iCloud,

    Thank you for getting back. Your recommendation is indeed very relevant, and we have been asking users not to fill anything, not just identity items but especially credit card items on an unknown website.

    Please feel free to give me a shout if you need anything and have a great week.

  • iCloud
    iCloud
    Community Member

    I have a question about the login IDs. If I chose to save more information in the login entries, by manually adding more sections (address, phone etc), are those fields vulnerable too? In other words, do the manually added fields in an login entry, also follow the same pattern of matching the html field in the target page and fill itself, or it only serves as a note for the user and are not filled by default?

  • Hello @iCloud,

    Yes, if you add a custom field in a login item, 1Password will look for the input field with the same or similar name, id attribute to fill. If it can't see anything on the page, it will ignore the custom fields.

    However, it only works on the login page of the login item you add a custom field in and I rarely see a login page that requires users' personal information. Moreover, since 1Password can detect relevant input fields to save automatically, it is unnecessary to add a custom field in a login item.

  • iCloud
    iCloud
    Community Member

    Thank you. I understand that there is usually no need for saving any info manually in the login items. But if some info must be saved, I would think the "notes" section is the safest segment to store the info, instead of adding info to the specific sections. I believe the note field would not be matching its form field to any field in the website, hidden or otherwise.

  • @iCloud,

    You are very welcome, and once again, you are right. The note section is the best place to add any extra information you need for the login item. It is good that you add it here. Some users might find it helpful.

This discussion has been closed.