Auto-Fill Security Concern

brank
brank
Community Member

Since share sheets is gone forever, I'd like to know more about auto-fill functionality.

Specifically, what prevents a malicious site from harvesting credentials by tricking 1password into auto-filling credentials into a plaintext field for them to save?

If DNS spoofing or ARP poisoning results in a spoofed copy of a website appearing to Safari as www.XYZ.com, will that be enough to trick 1password into auto-filling creds?

Assuming that the spoofed website lacks a valid certificate. Does 1Password check for certificates prior to auto-filling creds?

What other security features exist to prevent a malicious site from harvesting creds?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @brank

    I'm sorry for the delay. I've asked our security team to chime in here so we can give the best possible answer. Thanks for your patience.

    Ben

  • brank
    brank
    Community Member

    Thank you Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Those are excellent questions @brank.

    Keep in mind that 1Password never fills without explicit user action. User action may be as simple as a hot key, but the user is always in the loop. This means that a malicious page needs to fool both the user and 1Password. The result of this is that 1Password filling is going to be safer than either alone. 1Password filling is going to be safer than you manually using share sheets or copy/paste for a number of reasons.

    1. With 1Password filling the site needs to fool both you and 1Password. For other mechanisms it only needs to fool you.
    2. The communication between 1Password, the 1Password extension, and the place it is filled into is more secure than the alternatives mechanisms (either copy/paste or what you use from the share sheet)

    So if you have been using the share sheet instead of having 1Password help you fill forms, you have not been doing yourself any favors with respect to security (or ease of use).

    Automatic autofill is dangerous. 1Password's autofill is safe.

    You may have heard that "autofill is dangerous" and set your behavior accordingly. The misunderstanding is because of the term "autofill". Automatic auto-fill (without user intervention) is dangerous. 1Password has never offered automatic autofilling. We've been warning of the dangers of automatic autofill probably a decade or more. You can read more about this in 1Password keeps you safe by keeping you in the loop.

    Auto-fill (requiring user intervention or conformation) is much more security than manually filling. I really wish we had better words for these things. The warnings you may have read about autofill without user action are correct, but those only apply to systems that silently fill without user action. I do understand how such warnings can end up scaring people away from something that is beneficial to security (the way that 1Password always has done autofilling).

  • brank
    brank
    Community Member
    edited October 2021

    Thank you @jpgoldberg.

    I don’t understand how this is safer than share sheets. It would seem equivalent to share sheets because back to the good old days of share sheets, two week ago, I had all of the URLs listed in 1password for each login. In some rare cases, a login would be used on a different top level domain so I’d have both listed.

    When I was in safari, on a webpage who’s URL I had saved in 1password, then share sheets would jump 1password to that login. If, I was on a fake webpage that only looked like the correct webpage but the URL was different, then share sheets would pull up the entire 1password, not the specific website, which would be an indication something is wrong.

    I’m only this week learning about auto-fill so I don’t understand how it’s safer than sharesheets since my understanding differs from your explanation, in that a website would have to fool both me and 1password to get sharesheets to pull up the specific website.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hmm. It appears that I have misunderstood how you were using share sheets.

  • brank
    brank
    Community Member

    @jpgoldberg no problem, I think there’s a systemic misunderstanding of how customers used the late, great share sheets because as your CEO stated, none of the employees at 1password used share sheets, so that’s why it wasn’t a big deal for him to remove them in a point release without any patch notes warning of the removal. So it’s unsurprising that you’re not familiar with the feature since none of the agilebits staff used it.

  • I don't think there is any evidence of it being either more or less secure. We've covered the subject of removal of the share sheet extensively in other threads. If there are follow-up questions about the security of auto-fill please feel free to reach out to the team at support+security@1password.com.

    Thanks!

    Ben

This discussion has been closed.