1Password offering password for website not in my vault. Amazon.fr, for example.
I was under the, possibly false, impression that 1Password would only offer to provide a password if the internet address of the website in question matched up with a password entry in 1Password's vault. This is, or perhaps was, a valuable security feature against 'fishing' attempts.
I have no 1Password entry for www.amazon.fr. I do have a 1Password entry for amazon.co.uk. And I find that 1Password is offering a password up for the www.amazon.fr website. This 'feature' is referred to in the release notes for the recent IOS update.
So how is this working ? Right now I no longer have the confidence that 1Password will protect me, as I cannot predict what it is doing.
I would welcome your comments. Have you compromised security for the sake of 'convenience' ?
1Password Version: 6.2.2
Extension Version: Not Provided
OS Version: IOS, latest
Sync Type: Not Provided
Comments
-
Hi @mrw,
Thanks so much for taking the time to write to us with such a great question :+1:
Have you compromised security for the sake of 'convenience' ?
The answer is no. You may think that what you are seeing is a potential phishing exploit. Please rest assured that it isn't and here's why:
Sites like Amazon allow their users to log in with the very same account on all of their international sites. For example, if you live in the UK and have an "amazon.co.uk" login you can log into "amazon.fr", "amazon.com", "amazon.ca", etc. What we do under the hood when we show you the matching logins for Amazon, is called domain transformations and it is based on https://publicsuffix.org.
Please note that if you go on "amazon.ca" you will still see your 1Password "amazon.co.uk" login as a matching login. This is the expected behaviour. However, if you where on "stealyouramazon.com", you wouldn't see your "amazon.co.uk" as a matching login.
Please let me know if this helps :wink:
0 -
Hallo @Rad
Thank you for your comment, and apologies for my delay in responding.
It's still not clear to me how this works 'under the hood'.
Would the 1Password team consider making, perhaps, a blog post to explain how this does work, in detail ?
I was not aware of 'domain transformations' before, and I can see that they might be, to some extent, relevant. But somewhere inside itself, 1Password has to make a decision that amazon.co.uk, amazon.fr, and amazon.com are 'replicas', but amazon.org.uk is not. I don't see that 'domain transformations' in the sense of 'public suffixes' helps with that.
0 -
Thanks for getting back to me, @mrw!
Would the 1Password team consider making, perhaps, a blog post to explain how this does work, in detail ?
That's sounds like a brilliant idea, I will share your request with the rest of the team.
1Password has to make a decision that amazon.co.uk, amazon.fr, and amazon.com are 'replicas', but amazon.org.uk is not.
Yes indeed. 1Password "knows" that amazon.co.uk, amazon.fr, and amazon.com are the same site and that amazon.org.uk is not. When we implemented this, we relied on the official list mentioned by Amazon itself. The list of Amazon sites can be found on the bottom of amazon.com
If you have any other questions or concerns, please let us know.
Cheers!
0
