1P Firefox Extension Gives Old Data for Credit Card

Mousit

One of my credit cards expired and I received my new one. I changed the information in 1P (Windows). The info updated successfully (the expiration date and the CVV are what changed), and the main 1P application shows them to be changed. However, any time I use the 1P Firefox Extension to fill out credit card info for this changed card, it puts in the OLD expiration date and old CVV. This card was replaced early last month and I first noticed it a few weeks ago (I don't use the card too often so forgot about this until it did it again).

This has persisted across full reboots of the machine, and also Firefox application upgrades. I just used the card again today and the 1P Extension continues to fill out the old expiration and CVV, even though the main 1P Application shows up-to-date info.

Windows 8.1 x64.
Firefox 36.0.1.
1Password for Windows 4.1.0.538.
1Password Extension for Firefox 4.2.5.

Mousit

I updated to 1P 4.2.0.548 which did not fix the problem.

In digging deeper into it, I tested a few things. I wiped Firefox completely, and its profiles, and started over totally fresh (it had some cruft anyway). That didn't help, the Extension continued to use old expiration and CVV, which seemed to suggest that it was getting the data out of the 1P vault directly.

I poked around to see if this data was actually in the 1P database somewhere, and I eventually found it.

The updated expiration and CVV show up in the main 1P program, and there's no indication of any old data still being stored. I found this a little odd, since with Login information 1P saves old passwords as "previously used passwords" which you can review, and even delete, but this kind of history information was not showing for the credit card. However, I exported the credit card's wallet entry as a 1PIF file so that I could read it myself (in Notepad) and see what it contained. Low and behold, the new data AND THE OLD DATA both exported inside the 1PIF, so yes, the old expiration and CVV were indeed still being stored in the opvault. The Firefox Extension was picking up the old data instead of the new data.

This appears to be two bugs. The Firefox Extension should be able to pick up the new data, since both old and new were in the opvault, so bug 1. However, bug 2, this old data is lingering in the opvault and the main 1P application is giving no indication of this. There's no "previous history" at all. If you were just looking via the application itself, you would never know there's a second set of data. However, it exports it in 1PIF, so clearly the 1P application can see it SOME way or another, but isn't showing it within the application.

Oh hey, bug 3. I completely deleted the credit card entry, and emptied the 1P trash. Then I created the entry again, fresh. Now the Extension isn't filling out data at all. I tell it to submit that CC (which shows up in the Extension under Credit Card items) and it.. does nothing. I tried other card entries (which I have not edited) and they still work. So apparently creating this new entry just doesn't work at all now. Lovely.

Mousit

I'll just keep on adding details to this post as I notice them.

I can take a guess at why the Firefox Extension isn't happy with my newly re-created credit card entry. The format for the database item is notably changed. In comparing the 1PIF exports, the old entry and the new entry come out in 1PIF with very different fields. Notably, the new entry has a number of additional fields that were not present in the old entry, and the old entry had a bunch of "guarded" field markers which the new entry does not have at all. I suspect the Firefox Extension doesn't like this new database entry format and treats it as bad, ignoring it. I would guess that was why the extension was grabbing the old data before, because the old data was in the old field format that the extension liked. Now that I've "fixed" the credit card entry so it doesn't have the old data anymore, the Firefox Extension won't read that credit card item at all.

I exported my other credit card into 1PIF as well to take a look at it (I only have two stored in my vault). It has duplicated old data in it too, history data. This appears to be a long-standing issue. The 1P Application does not show anything about this extra history data at all; it only comes out in the 1PIF exports. I did not notice a problem because the edits I've made to other credit card were things like limits and phone numbers and interest rates, not the expiration date or CVV, so even with the 1P extension picking up old data, you wouldn't notice. That card hasn't been edited since Sep 17, 2014, and it's got duplicate/old data in its 1PIF export as well, so this isn't a brand new issue.

AGAlumB

@Mousit: Sorry for the trouble! I would have gotten back to you sooner, but I wanted to make sure I tested this first to see if I could reproduce the issue you seem to be having.

Thank you, by the way, for mentioning that you tried creating new items for the credit card in 1Password! Unfortunately, I didn't have the misfortune of running into this myself using 1Password 4.2.548 on Windows 7 Ultimate and Windows 8.1 in Firefox 36.0.1 with extension 4.2.5, either with old saved credit cards or a few I created fresh; and even after updating the card number, expiration, and CVV it filled with the new information.

For reference, I tested this on jinx.com since I happened to remember them having a 'guest' checkout (handy for experimental purposes). Weirdly, the checkout forms looked significantly different between OS versions. Apart from the extension having some trouble changing the card type from American Express, it worked.

In your case, 1Password seems to be storing the updated expiration and CVV info alongside the original data, is that correct? I am not seeing any of the old data showing up in the .1pif export after updating the item. Are you using any custom fields in the credit card items you created, or just the defaults from the template? Please let me know. We will get to the bottom of this!

AGAlumB

@Mousit: If you don't mind, perhaps we could take a look at a sanitized copy (all personal, private financial data replaced with dummy data) of the .1pif. Send an email to support+windows at agilebits dot com, and be sure to include a link to this thread so we can connect the dots and take a closer look at this for you. :)

svondutch

@brenty a couple of notes:

1. I think @Mousit is running opvault (not agilekeychain). This might be the missing link.
2. Because Wi-Fi Sync is based upon opvault, this might be the same bug: https://discussions.agilebits.com/discussion/comment/186715/#Comment_186715

Let's escalate this problem. /cc @AlexHoffmann @MikeT

Mousit

@brenty 1P is actually storing everything. I will try to get a sanitized 1PIF for you so you can see. What I basically see is the updated card info first, and then all the way at the end just past (or maybe as part of, I'm not completely sure I'm reading the 1PIF format right when I manually read it in Notepad) the field titled "Additional Details", it then duplicates ALL the card data with a copy of the OLD data. Though that includes even data that did not change! So I basically see two complete entries stacked on top of each other. Card type, card number, CVV, expiry, credit limit, phone numbers, website, EVERYTHING is duplicated, but the things that were changed are different while things that didn't change like card number, are duplicate.

@svondutch I am indeed using opvault on Windows, not agilekeychain. I have always used it ever since my initial Windows installation. I've been using the Mac version with agilekeychain for some time, and continue to do so, but I do not use automated sync between the two installs. That's a bug in itself, by the way, though I don't mean to ramble off on an unrelated tangent. The Mac version for whatever reason will not read 1PIF files out of the Windows version, at least not mine. No errors or anything, it just basically does nothing with the file. Windows will import Mac 1PIF files though, at least it did last I tried, but I haven't tried in some time now. I quit trying to sync them a while back because of the issues, and I just "sync" entries in manually by hand since my vault data doesn't change often.

I do also use Wi-Fi Sync with my iPhone, and I sync from the Windows version (not the Mac version). However, I make a point of never editing on the iPhone. I always edit on Windows and then sync to phone. I have never once edited credit card information on the phone, just FYI.

svondutch

@Mousit First of all, I would like to thank you for working with us on this problem. It makes all the difference in the world to have reproducible steps and/or sample data.

I'm pleased to inform you that I have reproduced the problem. There is good news and there is bad news :)

The good news: I have fixed the problem. The bad news: you'll need to edit the credit cards having this problem. There is no need to change anything. Simply updating them (without modifications) should fix the problem.

This fix will be included with 4.2.1.BETA-551. I'm planning on releasing this BETA build after the weekend.

When version 4.2.1.BETA-551 is available, can you please download it and confirm the fix? Thanks!

Mousit

@svondutch Great to hear you could reproduce it! I tried to give as much detail as I could in the e-mail with the 1PIF files.

And hah, I really like your idea "bad" news. :) I only keep two credit cards in my 1P vault anyway. I should be able to test the fix in all of 30 seconds. I will keep an eye out for the BETA build when it becomes available.

Is there anything I should know about installing or updating BETAs, especially when a non-beta stable release comes out later? I've never used a 1P beta before so I just want to make sure of any caveats I should be aware of about installation, particularly when it comes time to getting off of the beta onto a stable release. Or will I just update to the stable release when it comes out just like any other normal 1P update?

AGAlumB

@Mousit: Well, ideally you wouldn't run into a problem like this in the first place, or there would be an automated fix at least! In this case, once the beta is available you will need to manually resave your affected credit card items. I guess that's the 'bad' news. ;)

In regard to the beta channel, once enabled you will continue to receive beta updates; but you can go back to the current stable release at any time by installing it from the website. In my experience, 1Password betas tend to be less beta-y than most, and I often have to check which channel I am on with all the back and forth. Just based on your pursuit of this bug, I'd wager you will be more than comfortable with it.

Again, I can't thank you enough for reporting this so quickly (and thoroughly!) so the problem could be identified and fixed in the next version for the benefit of you and everyone else! :)

Mousit

@brenty @svondutch I installed BETA 551 but unfortunately it doesn't seem to have fixed the problem, or at least not completely. When I open the existing credit card in the editor and hit OK to 'update' it (without changing anything) it updates the Last Modified time. If I export in 1PIF I can see that the data is still doubled-up just like in the 1PIF I e-mailed (ticket NHN-96612-439). The CVV, however, is updated with the current value (so basically the current CVV is in the 1PIF twice). However, the expiration date is in two schema. The new schema format has the current expiration date. The old schema format has the old expiration date. I mentioned this in the e-mail that the expiration date schema seems to have changed at some point in 1P versions.

When I try to use this credit card in a website via the Firefox Extension, it now puts in the proper CVV that I'm expecting. However, it continues to use the old expiration date.

As a test, I created a brand new credit card entry as well, filling in all the data for the card by hand (rather than import anything). When I try to use this new test card entry in a website, the Firefox Extension fills out all the credit card info EXCEPT the expiration date, which it doesn't touch. It really, really does not like the new schema that the expiration date uses in the vault, and this seems to be the primary problem. I sort of wonder if the data is getting doubled-up in the vault due to this schema change too, like it's not quite sure what to do about the old-style expiration date format.

So, I still have doubled-up data in my 1P vault (and in any 1PIF exports), and I have expiration dates in two schema formats in that 1PIF. The old schema entry retains the old expiration date, and this is what the Firefox Extension is reading. The new schema entry has the new expiration dates, and the Extension won't read this format at all.

Also on another note, BETA 551 no longer shows my registration, and says it will expire on March 31. I trust that if I install a stable release my registration will still work?

svondutch

If I export in 1PIF I can see that the data is still doubled-up

@Mousit Correct. We need this for backwards-compatibility with older versions, and the 1Password extension in your web browser.

The new schema format has the current expiration date. The old schema format has the old expiration date.

@AlexHoffmann Can you file this bug, please? Thanks!

BETA 551 no longer shows my registration, and says it will expire on March 31

@Mousit Correct. Our BETA versions expire within a month. This is the designed behaviour.

I trust that if I install a stable release my registration will still work?

@Mousit Absolutely!

Mousit

@svondutch,

Correct. We need this for backwards-compatibility with older versions, and the 1Password extension in your web browser.

Oh! Well good to know that's actually intentional then. So I guess it's just the old-format expiration not getting updated that's the real bug then. :)

Or two bugs, really. Remember that a brand new, from-scratch credit card entry (like I created for testing) only seems to put the expiration in the new format, or at least that's what it did for me. The Firefox Extension won't read the expiration even though it reads the rest of the info out of that new test entry. Seems like that would be a big deal to new users just starting out with a brand new vault.

AlexHoffmann

That's most likely a combination of a bug in the app and the extension. We're investigating this and thanks to your information we have a pretty good idea what's happening.

So thanks, again!

svondutch

When I try to use this credit card in a website via the Firefox Extension, it now puts in the proper CVV that I'm expecting. However, it continues to use the old expiration date.

@Mousit Version 4.2.1.BETA-554 should fix this problem. Can you please download version 4.2.1.BETA-554 and confirm the fix? Thanks!

Mousit

@svondutch I installed 554 and that does seem to have fixed it. I opened the credit card in the 1P editor and saved it again (so the timestamp updated), and then double-checked a 1PIF export. I can see the expiration in the 1PIF is in both schema formats (as you said was normal) and now both of them have the correct month and year. I tested it using the Firefox extension and it filled out the data properly, expiration and all. I also created a new, test card entry (since previously creating a brand new entry resulted in the extension not filling in expiration at all) and that also worked. The extension grabbed the expiration data properly in that case too.

I think this particular bug is fixed. :)

Now, one last question! Now that the data is fixed in my vault, am I able to re-install the current stable version of 1P (i.e., downgrade), or is the vault data change enough that I need to stick with the betas until the NEXT stable version comes out? Because this beta install is going to expire at the end of the month.

Or am I able to install another beta after March 31 to get another 30 days? Never used betas before, after all. :)

AGAlumB

@Mousit: Some excellent questions! Thanks for getting back to us to confirm that the beta fixed the issue for you. That is great news!

So, to give you some (hopefully) excellent answers:

• For now, stick with the beta. When the next stable release is available, 1Password will offer it to you as an update. Once it is installed, just uncheck the beta box in Preferences and you won't be offered beta updates going forward.
• The expiration is just in place to ensure we don't end up with a bunch of people stuck on an absurdly outdated beta (possibly with nasty bugs that were fixed almost immediately!) This has happened to me when I fired up a machine I hadn't touched in months.

Thanks again for your support, and be sure to reach out if we can be of further assistance. :chuffed:

Mousit

@brenty I'll stick with the betas then and just keep updating them after the 31st, until the next stable. Thanks! Good working with all of you. :)

MikeT

On behalf of the team, you're welcome!