Wrong association when filling in an email address as one of the websites
One of our users filled in a login item in a wrong way which potentially could have leaked data to a third party. It is not a security issue per se, but more a UX issue I think.
They have an account at website A. This website uses usernames which are not the email address registered at that website. For password resets this email address is used, and thus we have a policy of storing that email address in the additional data of the item in 1Password.
By accident, they filled in this email address in the fields for the associated websites of the login item.
Then when going to the domain of the email address (not the domain of the login item), the browser addon suggests this item to use for logging in.
Maybe best explained with an example. Here's a test case I made:
(Note that the name@otherdomain.com is filled in as a secondary "website" for this login item.)
If you now browse to the login page of otherdomain.com, you'll get this item suggested as the way to login. Which will leak the password for correctdomain.com to otherdomain.com.
I'm not sure about the use cases to use an email address for a website. Maybe some FTP domains use that? But it if those cases are non-existent or less important, it would be nice if:
- 1P disallows entering an email address in the top section with associated websites
- or 1P warns whens entering an email address there
- or 1P doesn't use the domain of that email address as an associated domain when suggesting passwords
1Password Version: 8.10.48
Extension Version: 8.10.48.25
OS Version: Linux
Browser: Firefox