1Password reporting an unprotected login on the macupdate.com website

djvanenckevort
djvanenckevort
Community Member
in Mac

Hi,
I like the way how 1Password is looking out for me and warning if a login is insecure. Because 1Password reported an insecure login on the macupdate.com website I created a ticket with macupdate about this issue.
I received from them the following response, where they state that 1Password is falsely reporting an insecure login.

Thanks for your concern, and I apologize for any confusion around this! 1Password is giving a false warning as all login forms on MacUpdate send > data encrypted as required by PCI (credit card compliance) requirements.

If you have any further questions, please let me know.

Ryan

When I look at the website's html source code I do see that the login post target is https://www.macupdate.com/member/login, which will be encrypted.

I would like to have your take on this.

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @djvanenckevort,

    So the first thing I did was pop over to http://www.macupdate.com and like yourself, inspected the login element and sure enough there is a <form action="https://www.macupdate.com/member/login" id="mem_loginform_p" method="post" name="mem_loginform">. So armed with this I went and asked the devs that work on the extension.

    What I was told is that yes, while the login credentials are being submitted via https as both you and I noted, as it's happening on an http page (and so unsecured) there is the risk of JavaScript injection which I'm being told isn't possible if the entire page is secured with https. So what the people whom I trust say is that while MacUpdate aren't wrong that the data is being sent over an encrypted channel you're still safest if you only work from an https page. The concern is the injected JavaScript could read the contents of the unsecured page which is what you're entering your login credentials into, even if the page is only submitted via https.

    So in layman's terms, MacUpdate are adhering to PCI compliance and we're just being a little bit more cautious.

    Now if you have any questions from any of that please do ask and I will do my best to obtain answers for you.

This discussion has been closed.