Autofill for kayak.com directed to http://www.kayak.com/?onepasswdfill=[32 character hex]

I've never seen 1Password behave this way before. Has my password been exposed or anything else ungood?

Exact Steps Taken:
1. 1Password extension for Chrome was NOT installed at the time.
2. Went to 1Password mini, selected the Kayak login.
3. The website had not been filled in 1P, so it took me to "This webpage not found".
4. Edited the Kayak login to include website = www.kayak.com.
5. Selected the entry from 1P mini again.
6. Took me to http://www.kayak.com/?onepasswdfill=[32 character hex].

I have now installed the Chrome extension and changed the Kayak login to website = https://www.kayak.com and it seems to be working fine.

System information:
1Password 4, Version 4.4.3 (443000), Agile Web Store
OSX 10.9.5
Chrome for Mac Version 42.0.2311.135 (64-bit)

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @data_cat,

    I believe you saw what you did because the extension wasn't running and don't worry, nothing bad has happened.

    When it comes to filling there are two primary behaviours. If the login page is loaded and in focus we simply fill and attempt to submit if so enabled. The other behaviour is called open and fill. This is what happens if you click on a URL from within the main 1Password window or select a Login item from the 1Password mini menu but it doesn't match the domain of the in-focus tab in your browser. So if the URLs match, try to fill the existing page, if they don't open a new tab, load and then try to fill. With the way that 1Password and the browser extension communicate though we need a way of essentially saying "Oi! extension, we want filling to happen here once it has loaded". That's what the gobbledygook was. That string was merely an identifier that contained no secret information. The idea is once the URL has been passed to the browser, and before anything else happens, the ?onepasswdfill=... is meant to be stripped from the URL but no extension, no stripping of the extraneous text from the real URL. Normally this all happens so fast and behind the scenes you're not meant to know it happens at all.

    So just to confirm, your password hasn't been exposed and your machine is fine. If you have any follow up questions please do ask :smile:

This discussion has been closed.