IOS Safari Extension uses data from Demo vault when on Primary

leesweet

This one is quite weird, and I have no idea when it started, as I used the demo vault for about the first time ever (I showed someone how you changed between vaults...). So, now I finally went to a site on my iPhone that is also one of Wendy's (Ars Technica). When I use the Safari extension to login, both my real login for the site and the demo one appear. I have no idea how this is possible, when you can only choose one vault at a time (and it's set to the Primary, of course).

I terminated 1P (swiped up in the app list), no change, went to the demo vault, changed back to the Primary, etc. Same result. KiIled Safari, same result.

So, what would cause this? Obviously not a show-stopper, since you just pick the login you want, but why/how would be it be accessing both vaults at once? I've not tried to create a third vault to test if it does access all three, but I can if it would be useful.

iPhone 6Plus, iOS 8.1.3, 1P5.2

Thanks!

Winnie

Hi @leesweet,

in the extension we are always showing all matching logins from all vaults. As we have no possibility to switch vaults in the extension you would otherwise only be able to fill items your primary vault which would make the extension less powerful. So this is why we decided to show logins from all vaults.

leesweet

@Winnie Okay... that seems very strange to me, as you might have logins (for other cases (work/home/security cases) you don't want popping up. Why would you assume the vault you use in the 1P client isn't the one you want to use for everything? That's what the client uses, why would you NOT want the extension to behave the same.

Are you sure that's the case? Was this just changed? I have logged to Ars Technica before, and I know Wendy's login did not show up.

To counter your phrasing, why would you ever want a browser extension to be more powerful than the actual 1P application?

Winnie

@leesweet maybe I didn't explain this correctly - let me try again:

In the extension we have no way of knowing which vault you have currently selected in the 1Password app - so we cannot just show you logins from the active vault. This is why we show login from all vaults.
Additionally even if we had information about the active vault I personally think it could be very confusing as not every user might remember which vault was last active in 1Password and suddenly only a few or no logins show up in the extension (at least this happens to me all the time on the Mac).

Ever since 1Password 5 came out we've been showing all matching logins from all vaults in the extension - this is nothing that recently changed. I recall you mentioning that you just recently started using the demo vault. If you did create the demo vault recently as well this could be an explanation for you not seeing the demo vaults logins in the extension before.

I hope this makes it clearer.

leesweet

@Winnie Okay, that's clearer. Can I delete the demo vault to prevent this behavior?

I still think it makes no sense that the extension can't get 'all valid data' from the 1P app, which should be the current vault, not every vault. How is the extension doing security if it isn't using the app for access; I know in the Windows side, they talk to each other and should know what is the current selection.

I also think it's up to the user to know what they are doing. To have it default (if there's a choice, you say there is none...) to 'all data in all cases' isn't my choice and I bet it wouldn't be a lot of power users' choice.

It would be nice if there were more options for different classes of users, and not default to the lower end....

Megan

Hi @leesweet,

I'm glad to hear that Winnie's explanation has helped. Thanks so much for sharing your thoughts about the app extension. This is obviously a brand new feature with iOS 8, and we're still improving it and working out how to make it the most powerful and most useful for all our users.

Can I delete the demo vault to prevent this behavior?

You certainly can. Go to Settings > Vaults, and tap on the ⓘ (info icon) next to the demo vault. The following pane will give you the option to remove the vault.

How is the extension doing security if it isn't using the app for access;

When you unlock the app extension with either your Master Password or Touch ID/PIN, the app extension gets the relevant information from the iOS app's local database. The app's local database includes the data from all available vaults.

To have it default (if there's a choice, you say there is none...) to 'all data in all cases' isn't my choice and I bet it wouldn't be a lot of power users' choice.

Again, we appreciate your feedback as we work to refine this new feature. Adding a vault selector to the app extension could complicate what is supposed to be a simple and easy tool, but I have passed this suggestion along to our developers. In the meantime, if you have some data in your database that you are particularly concerned about, you have the choice not to sync the vault to iOS. This is a solution that many of us here use for higher security items that are not likely to be required on our mobile devices.

I hope this helps, but please do let us know if you have any further questions or concerns!