BUG: Changing website password through extension doesn't work (/.well-known/change-password)

kuiper

Hi guys, I noticed that changing a password through the browser extension doesn't work correctly. For example:

• you are logged in to twitter.com and have the browser page open on the twitter site
• you click the 1password extension icon in your browser
• click the three dots button on the top right
• click the option "Change Password"
• this launches a new tab and opens the url https://www.twitter.com/.well-known/change-password
• that url generates a 302 redirect to https://twitter.com/settings/password
• BUT after loading https://twitter.com/settings/password, the browser goes back to https://www.twitter.com for no apparent reason
• I have tested this in multiple browsers and with multiple websites that use the /.well-known/change-password url.

When you visit https://www.twitter.com/.well-known/change-password directly in your browser and NOT through the 1password extension, everything works as expected.

I think this is a little bug in the extension.

---

1Password Version: 80401002
Extension Version: 2.2.2
OS Version: Windows 10 (21H1)

Joy_1P

Hey @kuiper, thanks for reaching out! This is a known issue that our developers are investigating. For now, we've only been able to identify the behavior on the Twitter site. However, if you've seen this on other sites, please let us know.

Until there is a fix, I would recommend changing your password for your Twitter login through the traditional route:

1. Go to Twitter.com and sign in.
2. Navigate to the "change password" page.
3. If the site asks for your existing password, please fill it in.
4. Use 1Password's password generator to create a new password.
5. Save the new password to the site.

Here's a guide in case you need it: https://support.1password.com/generate-website-password/

I hope this helps for the time being. Let us know if you have any other questions!

ref: dev/core/core#10548

kuiper

Hi @Joy_1P, I did some testing on some servers and I found what is causing the issue on Twitter.

The 1password extension checks the url https://twitter.com/.well-known/change-password, but also checks: https://twitter.com/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 (kudos for testing on an URL that explains what it is expecting)

The URL https://twitter.com/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 generates a 200 OK
When the URL generates a 200, it doesn't work correctly and the user is bumped to the homepage. BUT if that URL would generate a 404 it does work correctly.

I also tested this at Github; https://github.com/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 generates a 404 and thus the "change password" function of the extension works as expected.

Hope this helps! Not sure why you guys check /.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 but there is probably a very good reason to do so :-)

Hope this helps!

Jack.P_1P

Hey @kuiper:

The why we check resource-that-should-not-exist-whose-status-code-should-not-be-200 can be best explained by the W3C specification on it here: Detecting the reliability of HTTP status codes

Let me know if that clears it up!

Jack