A new ipassword password for a site was hijacked by a site 38.elmsecure.com
I was filling in a password for a new site and used the 1password generator. I went on to the site and made a small purchase and logged off. Later on I couldn't find the site on the 1password list. I found the password that was used for my site was now listed by 1password as being used on 38.emksecure.com which is not a site I know and certainly not the site I wanted the password for.
The password was literally hijacked by 38.ekmsecure.com and would open both sites.
Very worrying
David
Comments
-
I entered a 1password generated password on a new site. This was accepted by the site and I made a small purchase, I logged off and then because I have had problems with the new passwords not being recorded properly I decided to go back into the site. I could not find my site on the 1password list of logins but I did find the password on a site completely unknown to me 38.ekmsecure.com.
It would seem that 38.ekmsecure has hijacked my password, the 1Password listing for 38.ekmnsecure and my original site had the same password. Very worrying.1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: kb:check-extension-version, kb:diagnostics0 -
I think, in order to get to the bottom of what might have happened, we really do need much more information from you. Please tell us:
- What version of 1P for Mac you are using
- What browser you are using
- The 1Password Browser Extension version
- If it's not confidential, the URL of the site for which you originally generated the password using 1Password
- Whether the generated password appears in your 1P Password category (which stores generated passwords not specifically linked to a saved login item)
- The URL saved with the generated password in your 1P Password category (if, indeed, the generated password appears in that category)
I do think it's pretty unlikely your copy of 1Password has been "hacked" (at least so long as you have a strong master password) as I don't think anyone has ever reported here a proven case of that happening.
Edit: @dcombs I'd already answered your first post when I found you'd started another thread about the same problem. I've merged the two because having two separate threads about the same problem not only makes support a challenge it also makes it hard for you to know where to look for answers to your problem.
Stephen
0 -
Hi @dcombs,
What you described could actually be normal behavior, although I can understand how it would be confusing to see something like that. When 1Password mini saves a new Password item or Login item on a website, it records the URL of the web form you filled/submitted. It's possible the login form on that site was really coming from another site, but it's really difficult to tell for sure what happened without being able to test that ourselves. If you can let us know the information Stephen asked for (especially the original URL, if possible), we'll be happy to check that out to see what happens. Thanks!
0 -
Hi, Firstly sorry about the double problem report, I wasn't sure the first one had gone.
The 1password version is 5.3,
I don't seem to have a 1password extension
The site was thecornmill.com
The rogue site had its details on a "password" category
After using 1password theCornmill.com let me log in and I thought all was well but after I logged out I did check to see if the logon had been recorded, which it hadn't. It took me some time to get back in to their site as Safari kept giving me Unable to locate server error.
This delay gave me some time for a bit of a hunt and by chance I found the rogue entry in the " password" category and the password quoted was the same as on my clipboard from the original 1 password request. The rogue entry was dated correctly
I used the clipboard password to enter thecornmill.com site without a problem and I replaced the password immediately. Came out, trash canned the Rogue password entry, ran a virus check and sent a report to yourselves.
38.ekmsecure.com is nothing I have knowingly come across
Weird stuff,
Thanks
David0 -
Hi @dcombs,
I went to http://thecornmill.com/ to investigate. On their "How to login" page, it says: "To be able to login to this website you will need to have saved your details when prompted at the checkout with your first purchase."
So it seems this may not be reproducible without making a purchase from site, so I can't say for sure, but I have a guess about what's happening here. Navigating to 38.ekmsecure.com redirects to https://www.ekmpowershop.com/, where I see "Use ekmPowershop to easily create a powerful ecommerce website," so I'd wager that thecornmill.com is using ekmPowershop to run their checkout site, and since that's where the login is created, it's very likely that 38.ekmsecure.com is the actual URL of the site you were on when you saved the login credentials.
As far as I know, there's not really a way for any site to "hijack" a 1Password item, so I don't think this is anything to worry about. But kudos for keeping that eagle eye out for your digital security! Stay vigilant. :glasses:
0
