Sent Link To Sign in And Directed to Fake McAfee Pop-up Notification
Today I was trying to set up my Chrome extension on a new browser, so I sent myself a sign-in link from the 1 Password app via email. When I clicked the link it sent me to what looked like a McAfee Pop up ad of some kind, and didn't look safe at all. I didn't click anything on that page just shut it down, but the damage was already done, and I kept getting constant fake McAfee Ad pop ups in my browser after that. They would not go away until I cleared all my browser data. This seems like a HUGE security concern that this would happen through a link I sent myself from the 1 Password app. Is this a new problem, or are the links not safe?
1Password Version: 8.10.16
Extension Version: Not Provided
OS Version: Windows 11
Browser: Chrome
Comments
-
Hello @bjett! 👋
That definitely doesn't sound right. Rather than the original link itself being unsafe, it sounds like something on one of your devices may be changing either the link in your email or what happens when you click on the link. If you look at the email that you sent yourself then does the link begin like this:
onepassword://team-account/add....
Or does the link look different? Can you also tell me if you use any McAfee software or browser extensions on any of your devices? Are you able to post a screenshot of the McAfee pop-up that you saw?
-Dave
0 -
The link does begin with those I have actually attached a screenshot of the link and just covered up the stuff that would be personal information. I finally got rid of the pop ups by clearing my browser data, so I do not want to get them back by clicking the link again, however I did screenshot where each of the two hyperlinks will direct me if I do click on them. I went back into my app to just view the passcode without sharing it to my email, and this is the same exact url.
I do not have McAfee at all on any of my devices.
0 -
It looks like whatever URL markup parsing occured as you drafted the email, or after receiving the email - has misinterpreted parts of the URL encoded string as website addresses.
%40
=@
%2F
=/
The latter link isn't concerning (but wouldn't work to login at), but the former '40gmail[.]com' is a parked domain: https://urlscan.io/result/79178069-bc2f-4411-8a35-6221afa1b302/
Do you recognise a screen like this?
0 -
No that never popped up. I actually clicked on the 40gmail.com portion of the link again so I can show you where it takes me. This is what I get after I click on it.
I then have to clear all browser data to prevent any ad pop ups from occurring after I click the link in the email I never click anything on the page that it directs me to.
0 -
The link you sent yourself is malformed. The %40 (and other portions) are not encoded correctly within the link. Try AirDropping the URL to yourself or messaging it to yourself to take the email provider out of the equation. Then you can likely copy and paste the link to the browser. Does that help?
0