Web browser redirected to another domain, apparently associated with 1PW duplicate password entries

randy_va
randy_va
Community Member
in Mac

Problem: redirected to another domain, apparently associated with 1PW duplicate password entries

The security audit feature of 1PW5 reported duplicate passwords for 2 of my login entries, retailmenot.com and backblaze.com. Retailmenot.com is a site to search for retail purchase discount coupons (I do NOT have an account with this site); Backblaze is a legitimate secure online computer backup service for which I have an account.

The full URL for the retailmenot.com entry was http://www.retailmenot.com/xxx/11111111 (with xxx substitutes for 3 letters and 111… standing for a series of numbers).

When I clicked on the above retailmenot.com hyperlink (or when I manually type the URL into the URL/search block of the web browser), the backblaze.com web site appears in the web browser!. When I manually type www.retailmenot.com (without the following letters and numbers), the correct retailmenot.com website appears.

What is going on here? Am I being redirected to another domain by some type of malware, or is this simply a problem with some type of local cache that needs to be cleared? Or is this some issue with 1PW for the Mac?

I have no idea why my backblaze password would be duplicated in the retailmenot.com login entry. As far as I know, I have not registered with an account at the retailmenot.com web site. What really concerns me is that I am directed to the backblaze.com web site when the specific "http://www.retailmenot.com/xxx/11111111” URL is entered in the web browser. This happens with both the Safari and the Firefox browsers.

All applicable OS X and Safari updates have been installed, including the Yosemite 10.10.3 update today, 4/9/2015. I have cleared Safari history, cookies and website data.

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @randy_va,

    Whatever the issue, I don't believe 1Password is part of the cause. If you can paste an address into a browser and you're redirected then 1Password played not part. It's potentially hard to say though. With the URL you posted you generalised part of it as /xxx/11111111. Now for me if I click on that link or for a couple of random 3 letter strings I stay on RetailMeNot's site with "page not found". Does any combination result in you being redirected or is it specific ones?

    If it's all then it would seem likely to be somewhere between your browser/extensions and any domain name look up going on. That would include your hosts file.

    To check your hosts file open up a Terminal window by launching /Applications/Utilities/Terminal. In that window paste in the following command

    grep "www.retailmenot.com" /etc/hosts

    It should return no entries.

    If it isn't that you can maybe try flushing your DNS cache. My findings suggest the following should work. These are all still from within the Terminal window.

    1. dscacheutil -flushcache
    2. sudo discoveryutil mdnsflushcache (you'll be asked for your OS X password here for confirmation).
    3. sudo discoveryutil udnsflushcaches (you'll be asked for your OS X password here for confirmation).

    After those it might be worth following it up with a reboot. Does the problem persist? At that point I would ask what extensions you have loaded in both browsers.

    If it's only specific pages that are redirecting you then I would wonder if it's something on that page in question. The URL would at least allow us to test it and see if we get the same.

    Sorry I couldn't say anything more concrete as of yet. This issue would seem to be outside of 1Password and it's tough to say at this point based on what we know.

  • randy_va
    randy_va
    Community Member

    Littlebobby - Thank you for the suggestions. I agree that 1PW may not be the issue. It's curious that there is a 1PW login entry, however, containing the same password as my Backblaze account. I have no idea how that occurred.

    Regarding your suggestions, I checked the hosts file using Terminal - no entries were returned. I flushed the DNS cache as directed, then re-booted. The problem persists - and there was a new discovery - see below. Web browser extensions are 1Password, Save to Pocket and AdBlock.

    If I type "www.retainmenot.com", the browser goes to the proper retailmenot.com web site. When I type www.retailmenot.com/out/xxx/1111111 or any of a number of other random letter and number combinations, the browser goes to the retailmenot.com domain, but to a different page containing the message: "Sorry! We can't seem to find that page ..." with a selection of several retailmenot coupon codes from which to choose. When I type www.retailmenot.com/out/.... adding one specific combination of letters and numbers, then I am directed to the Backblaze site as indicated before, not to the retailmenot.com website. This occurs in both Safari and in the Firefox web browsers. Here is an interesting discovery that I just noted: When I type this one specific URL with the "magic" combination of 3 letters + specific numbers, a dropdown box appears below the Safari browser URL/search box, reading: "Top hit: Unlimited Online Backup - Easy, Secure Online Backup Services .... BackBlaze", and the BackBlaze icon appears in the browser URL/search box. It appears that there is some type of history or DNS cache entry that is recognized, and the browser is redirected to the Backblaze website. (I have not disclosed the specific letters/numbers combination represented by the xxx/1111111 mentioned above). I have already contacted AppleCare support and cleared all of my Safari history, cookies and website data.

    Is it possible that some type of DNS or cache entry is stored somewhere else? In my router, maybe? It's a D-Link router, DIR-655. I don't see any provision for a DNS cache in the router, and posts in a DLink support forum suggest that this router does not have a DNS cache. I have my DNS servers set (at the router level) to the OpenDNS servers. OpenDNS is a service that provides DNS servers and setup profiles to block certain websites such as pornography, gambling, malware-associates sites, etc.

    Are there any other caches or history lists that could be checked? Maybe a Google search or history cache? And I still can't figure out the duplicate 1PW entry.

    Thanks for the help.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @randy_va,

    This is odd.

    Would you be willing to share this specific URL either via a direct message here on the forums or in our ticketing system? It would be interesting to see if we can reproduce your findings as well as looking at the code for that page. Given it's a very specific URL and others are working as 'normal' for you my gut feeling at the moment is it shouldn't be DNS. It's the cross-browser nature of it, even after you've wiped things like cache, cookies and history away that make me wonder if it's a misconfiguration server-side with that specific URL. Why though? I can't say as it is odd.

    Just so there is no confusion later. Of the extensions you're running am I correct with the following?

    I ask as there are actually a few different AdBlocks out there and Apple return 4 entries on their Safari Extension page (https://extensions.apple.com/?q=adblock).

    The 1Password entry is also puzzling. Assuming you save Login's via the 1Password Browser Extension it should only be capturing the URL for the page you're visiting. Even if somewhere in the chain somebody is injecting something into the site what I can't figure out is for what purpose?

    I hope we can find the cause to satisfy curiosity as well as ease your concerns of course!

  • randy_va
    randy_va
    Community Member

    Littlebobby - You are certainly going above and beyond with the support! Help much appreciated.

    Yes, the Adblock and Pocket Safari extensions are the ones you listed - I verified the domains (not just the appearance of the icons).

    I don't see any harm in posting the specific URL, which is http://www.retailmenot.com/out/4887811. It's important to enter that the exact URL, including the http://www... part and the ... .com... part. I expect that you will not be redirected as I was. The AppleCare rep that I dealt with tried this URL also, with a "normal" result, i.e., directed to a site within the retailmenot.com domain and not to Backblaze.

    I have done some more troubleshooting in the meantime. The "magic" URL above causes my iPad and iPhone (both using Safari browser) to be mis-directed to the Backblaze site! I also noticed the same browser URL/search block behavior. As soon as I typed that specific URL in the browser URL/search block, a drop-down box appeared with "Top Hit - Unlimited Online Backup .... BackBllaze". In other words, this specific URL was instantly recognized and redirected. 1Password is installed on my iPad and iPhone.

    Another observation: when entering the above URL in the iPhone's Safari URL/search block, a dropdown box appears showing:
    Top Hit -
    RetailMeNot: coupon codes ...

    Bookmarks and History
        RetailMeNot: coupon codes ...
        Unlimited Online Backup - ... BackBlaze ...

    The above entries appear as soon as the following portion of the URL is typed: "http://www.retailmenot.com/out/". I don't even need to finish typing the trailing numbers and letters. The key hit, of course, is the 2nd entry under the "Bookmarks and History" heading. That's the BackBlaze domain.

    Again, this leads me to believe that there is some sort of "shared" cache or history list that is causing the misdirection. Could this have something to do with Apple's OS X/IOS continuity and sharing features?

    On the other hand -- the misdirection also occurs on my Android phone (Nexus 5, Android 5.1). 1PW is also installed on this phone, using the same vault as that used on my iMac, iPad and iPhone. This would tend to rule out Apple's continuity/sharing features.

    Looking for common features associated with the problem, there appear to be three:- my LAN, 1Password and maybe something associated with Google - search or browsing history caches perhaps. Maybe you can think of more. I already tried removing caches, browsing history, etc. I also re-booted my router. Thinking along the Google train of thought, I tried changing the Safari preferences in my iMac (OS X 10.10.3) to use the DuckDuckGo search engine instead of Google and deselecting the "Smart Search Field" checkboxes. No love - problem still there.

    Any other thoughts?

    Thank you.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @randy_va,

    I'm surprised at the results of the AppleCare rep as it redirects for me too. I followed this up with a wget on it and managed to see this.

    wget http://www.retailmenot.com/out/4887811
--2015-04-11 18:10:27--  http://www.retailmenot.com/out/4887811
Resolving www.retailmenot.com... 184.86.88.22
Connecting to www.retailmenot.com|184.86.88.22|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://backblaze.com [following]
--2015-04-11 18:10:30--  http://backblaze.com/
Resolving backblaze.com... 162.244.56.106

    What we now know is RetailMeNot's server is serving a redirect which is why you're seeing what you are. So unless they're also using a CDN and we just both happen to be accessing the same server I would expect the AppleCare rep to be able to replicate this.

    So your system at any level isn't compromised. We're still none the wiser why they have this 'temporary' redirect going on or how this other entry in 1Password was created. I'd say change your password at Backblaze and as you're a customer over at maybe drop them an email letting them know what you've discovered - let them make a polite enquiry to RetailMeNot. If they get back to you I'd love to hear what they say and I think I'm going to ask a couple of our more capable web guys a few questions as I've got this nagging feeling about mod rewrites that I want to ask them about.

  • randy_va
    randy_va
    Community Member

    I'm very impressed that you were able to resolve this, or at least discover where the problem is.

    Since my most recent post, I called AppleCare again. The rep's computers (Apple and Windows) were redirected also. His assessment, like yours, was that the problem was with retailmenot.com's website causing the redirect. Perhaps the first AppleCare rep did not type in the full URL exactly, including the http://www part as I mentioned earlier.

    I will change my Backblaze password, and now I feel free to start using 1PW on my wife's computer and on a MacBook Air that we share.

    I still need to figure out the reason for the passwords being duplicated in my 1PW vault entries. It may have something to do with my "stumbling around" trying to learn 1PW early on. Maybe I clicked on 1PW's password generator at an inopportune time. I have deleted the retailmenot.com entry and will change the Backblaze password.

    Thanks again, this was very helpful.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Glad we could help @randy_va and it was certainly a puzzle you brought with you :smile:

    If you learn anything more please do tell me, I would love to know more myself.

This discussion has been closed.