Site Credentials Overwriting URL Bar in Browser

Hi,

I'm having issues when attempting to login to the Citi page at https://www.citi.com/credit-cards/citi.action. I've seen multiple postings about this site elsewhere on this forum, but I think this is a new issue.

Specifically, my password is being auto-pasted into Chrome's URL bar in clear text!! There's nothing else in the URL bar...just the password.

Here's the sequence of actions that leads to this result:

1 - I open my Citi login within the 1Password application (the main app opened via the task bar icon, not the browser extension).

2 - I click the Citi URL saved within the login to visit the site. I've triple-checked and the URL does not contain my password or user ID. It is simply https://www.citi.com/credit-cards/citi.action

3 - Chrome opens to the Citi site, my user ID and PW credentials are auto-filled on the page by 1Password, and the URL bar of the Chrome browser is over-written with my password in clear text. No manual action on my part is required. This entire step occurs automatically.

Luckily I noticed the issue before hitting enter to login.

Of course, I reset my Citi password immediately.

Thinking that the Login was corrupted, I deleted it from 1Password. Then I went back to the Citi site by pasting the URL manually into Chrome (the page looks fine when I do this...the URL bar doesn't show my password), entered my new credentials by hand, and then used "Save New Login" to manually create a new Login. I also made sure to edit the UserID of the new Login to resolve the issue of embedded "***" characters that I've read about in other postings on this forum.

I then opened the Citi site using the 3 step process documented above. Same problem :( except now the new password was pasted in clear text within the Chrome URL bar.

I've reset the password yet again, and am hesitant to try creating a new Login for the 3rd time.

Because of the odd behavior of the Citi site with embedded *** characters, I enabled the "Use Auto-Type in Web Browser" and "Send Ctrl+A Before Auto-Type" options for this Login. Note that I did NOT press Ctrl+\ in the 3-step sequence described above, so this isn't an issue of having the cursor in the wrong field before starting auto-type. When I do press Ctrl+\ after placing the cursor manually in the UserID field, it fills both the ID and PW fields correctly. But, my password continues to show up in clear text in the Chrome URL bar from the initial loading of the page.

Suggestions welcomed.


1Password Version: 4.6.0.598
Extension Version: 4.5.1.90 (Google Chrome)
OS Version: Windows 7 Pro SP1
Sync Type: Not Provided

Comments

  • ArcTangent
    ArcTangent
    Community Member

    Hi Site Moderator,

    I just noticed a few minutes ago that there's a dedicated "Saving & Filling Browsers" section on this forum. Please feel free to move this post to that section if more appropriate. I couldn't figure out how to do that without creating a duplicate post.

    Note, however, that the issue I'm experiencing does not happen when I use the browser extension. It only occurs when opening the site by clicking the URL within the corresponding Login window of the main 1Password for Windows application.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I just noticed a few minutes ago that there's a dedicated "Saving & Filling Browsers" section on this forum. Please feel free to move this post to that section if more appropriate. I couldn't figure out how to do that without creating a duplicate post.

    @ArcTangent: No problem! That's a great idea. I was thinking the same thing...but let's see where this goes first, as I think it may not be related to browsers at all. :)

    Note, however, that the issue I'm experiencing does not happen when I use the browser extension. It only occurs when opening the site by clicking the URL within the corresponding Login window of the main 1Password for Windows application.

    That was my takeaway from your original post, but thanks for clarifying that just to remove any doubt I might have had.

    It just so happens that I have a Citi account (or two, or three...) myself, and it's definitely been a struggle over the years as their site has continually changed...but this is definitely one issue I haven't encountered!

    Thank you for the detailed explanation and steps to reproduce. Initially, I wasn't seeing this issue, but you dropped a hint toward the end:

    Because of the odd behavior of the Citi site with embedded *** characters, I enabled the "Use Auto-Type in Web Browser" and "Send Ctrl+A Before Auto-Type" options for this Login.

    1Password doesn't send your login credentials to the extension in plaintext, and even if it did (ew), Chrome strips any additional information from the command and puts only the URL in the address bar, which means that something is happening after that for your password to end up there...and that something is Auto-Type.

    Even though your description seemed to indicate that it was happening originally, until I enabled Use Auto-Type in Web Browser, I wasn't seeing this behaviour. Please disable that setting your Citi login to see if that helps. You pretty much want it to look like this:

    Except you really only need this URL. I've found that it works best with 1Password across browsers and platforms (at least until they change something again):

    https://www.accountonline.citibank.com/cards/svc/LoginGet.do

    Now, I'm still seeing some different behaviour on the website itself (possibly due to cookies), since I'm not getting a login form there at all unless I click the Sign On button at the top first:

    Ah, the eternal struggle. Please let me know if disabling Auto-Type and Ctrl+A helps. :)

  • ArcTangent
    ArcTangent
    Community Member

    That resolved the issue! Thanks @brenty

  • That's great to hear and on behalf of Brenty, you're welcome.

This discussion has been closed.