Autofill vulnerability

Options
System
System
in 1Password in the Browser
This discussion was created from comments split from: Chrome autofill not working.

Comments

  • vadimm
    vadimm
    Community Member
    Options

    Hi,
    Can you please give comments on how 1password address these security risks https://www.smashingmagazine.com/2021/10/autofill-dark-pattern/?

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited November 2021
    Options

    Hey @vadimm ,
    I split your comment from the discussion you commented in because it was unrelated to the issue they were discussing there.

    To answer your question, 1Password keeps you protected and addresses these autofill risks as follows:

    • 1Password will never autofill anything without your specific command. You must tell 1Password to autofill every time.
    • 1Password will only autofill usernames and passwords if the URL you are currently visiting is identical to the URL that is saved in 1Password, preventing phishing attacks.
    • If you need to autofill personal information such as email or address, 1Password will suggest autofilling only these specific fields from your identity item and will not reveal any other bit of info from that identity item. However, if you want to autofill all of the fields on the page in one go, you can click on 1Password's icon in your browser, select your identity item and click on "Autofill". That will fill all field on the page with your personal data (and reveal it to the page/website).
    • And last but not least, 1Password won't even suggest autofilling when it is locked, which helps preventing "reflex-like" behavior of autofilling wherever whenever. Keep your 1Password locked when you don't use it :)
  • jmjm
    jmjm
    Community Member
    Options

    1Password will only autofill usernames and passwords if the URL you are currently visiting is identical to the URL that is saved in 1Password, preventing phishing attacks.

    Just to confirm, it can be the case that the URLs can be different but "legitimate" going from a desktop to a mobile site?

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited November 2021
    Options

    Hey @jmjm ,
    The URLs are legitimate most of the time, it doesn't matter though - 1Password will not autofill or suggest autofilling if the domain of the website is different than the domain that is documented in the login entry in 1Password.

    So for instance, if you have a login entry with "https://apple.com" in it, you will be able to open and fill it on Apple's website (and every subdomain they own, such as itunes.apple.com, support.apple.com etc), but you won't be able to autofill it on a different domain such as apple.somewebsite.com or appllee.com or amazon.com.

  • vadimm
    vadimm
    Community Member
    Options

    That is the good news, thank you!

  • Jack.P_1P
    Jack.P_1P
    Options

    You're very welcome @vadimm! :smile:

This discussion has been closed.