New eBay checkout filling issue
Filling seems not to work properly on the new eBay checkout when you pay with PayPal. Username gets filled to coupon field and password to nothing. 1Password also thinks I'm trying to login to eBay when I actually login to PayPal (PayPal is integrated to eBay somehow). I'm using Chrome.
Please test this yourself (pick item, buy it and then choose paypal as payment method), it is hard to explain it further :)
1Password Version: 6.5 beta 7
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Filling seems not to work properly on the new eBay checkout when you pay with PayPal. Username gets filled to coupon field and password to nothing. 1Password also thinks I'm trying to login to eBay when I actually login to PayPal (PayPal is integrated to eBay somehow). I'm using Chrome. Please test this yourself (pick item, buy it and then choose paypal as payment method), it is hard to explain it further :)
@ollifi: Indeed, this isn't an eBay issue, a PayPal issue, or a 1Password issue, even though it involves all three to peripherally. This is a security issue. That may sound absurd, but it's on me to back up that statement. I had an idea what you were talking about, but wanted to confirm the details. This is the URL stub I'm getting when I checkout with eBay:
https://mbuy.ebay.com/xo?[RandomSessionID]
You'll notice that PayPal isn't in there. 1Password, by design, will never offer you a login for a URL that doesn't match it. You may very much want to use your PayPal.com login at eBay.com, but 1Password filling it for you there would be no different than if it did so at
www.paypa1.co.mu
(as a made-up example phishing site — edit: and that's actually a number 1 and not a lowercase L, so the fact that they look identical also illustrates my point). Phishing scams are real and have probably affected someone you know. So 1Password is designed not to fill a login saved with one URL at another.Now, you can actually add "ebay.com" to your PayPal login item as an additional URL if you'd like to use it on both sites. But it's important that 1Password takes a staunch, cynical view of non-matching URLs to protect us in the 99.99% of other cases.
I hope this helps. be sure to let me know if you have any other questions! :)
0 -
Thanks for the reply. Paypal is nowadays shown in eBay as an iframe. Do you support filling in iframes?
EDIT: Iframe URL is
https://www.paypal.com/webapps/helios?state=XXX
, and that matches to my PayPal login.0 -
@ollifi Right now, we don't support this kind of filling. This could be a security concern because the parent frame has full access to the frame. So, while you might trust eBay in this way, other sites might be less trustworthy. It's unclear to me why eBay is approaching the payment process in this way. There are well defined ways for interacting with PayPal that do not require the user to fully trust the parent site, so I'm not sure why eBay have decided to approach the checkout process in the way that they have.
--
Jamie Phelps
Code Wrangler @ AgileBits0 -
Thanks for the reply. I think many of your users use PayPal + eBay combination so perhaps you could add an exception is this case. Actually, I prefer the new layout instead of the old one. It looks nicer to user and easier since they don't have to navigate to different page to complete the payment - everything is done in one page.
0 -
@ollifi: We won't be making an exception. That's a recipe for disaster. But if we can find a reliable way for 1Password to detect this and a good way to make it clear to the user what's going on, that may be a better approach that we can pursue in the future. But security comes first. We absolutely don't want to allow the possibility of 1Password filling in inappropriate places, and we also don't want to give the user the impression that this is happening, even when it isn't. We each have a right to know what 1Password is doing with our data. :pirate:
0 -
Thanks for the reply. I think an HTTPS protected PayPal frame in eBay isn't an "inappropriate place", but I understand your concern if the amount of exceptions would grow - that would make managing them difficult.
0 -
@ollifi: Indeed. That's definitely a big concern on our end, but also intuitive consistency is something we strive for in the user experience, since an app behaving "unpredictably" would cause me to trust it less and feel uncomfortable relying on it. So we also need to take into account that any exception we make is something else the user has to track in order to know what to expect when they use 1Password in their browser. It's not an easy call.
You're absolutely right that in this particular case it's almost certainly safe, given HTTPS and eBay and PayPal's established reputations. I don't mean to diminish that in any way. I use — and trust — both myself. But we need to consider all the ramifications of going down that path — and perhaps a better one can be found. Thanks so much for your thoughtful feedback on this! :chuffed:
0 -
This still seems to be a problem getting on for 6 months after this was posted. Whilst I understand the security concerns, 1password fails for me if it means that for Paypal I have to use a weaker password that I can type in manually. Is there any progress on fixing this?
0 -
@shaines186: That's like saying that you have to use a weak password for any iOS app which doesn't support the 1Password extension -- and that's a lot. Certainly it's less convenient than 1Password being able to automatically fill, but copying and pasting a strong password isn't so bad at all, especially compared to the alternative of an account compromised. As Jamie mentioned, this has repercussions far beyond eBay/PayPal, so while we won't say "never", we will say "not unless it can be done securely to avoid exposing 1Password users to phishing attacks".
0 -
@brenty : I can't really comment on that as I don't use iOS - this is in Chrome. For me the benefit of 1Password is that it is easy and quick to use strong passwords. I love 1Password but any situation where it is unable to autofill makes it less attractive as a solution. With eBay/Paypal it is tempting to let eBay remember the Paypal login but that effectively removes one layer of security. +1 for a solution to this.
0 -
It's your call, but if you control the device and use a long, strong unique password for your eBay login, having eBay remember your PayPal information is still more secure than using a weak password you can memorize and enter manually, since anyone could use that to get into your PayPal account.
0