I found a super simple bug in Mac "Share To Email" Feature! You need to look into your URL encoding!

tuna_hp

Hi 1Password developers,

I am a new software developer myself and I was excited to find a bug that I would know how to fix.

I went to share a password by email, which I understand works differently in recent versions of 1Password (you no longer encrypt the email message).

However, I noticed that when my password share message popped up in a Chrome Gmail window, that the actual password was cut short. It didn't display the full password that was in the 1Password client, only the first few characters. Upon closer inspection I noticed that the character that the email choked on was "+" symbol.

To me, with a little experience programming links that generate pre-formatted emails using mailto:, and with similar features that also use URL encoding like pre-formatted share messages for Facebook and Twitter, this tells me that there's something wrong with your URL encoding, or possibly that you have to account for escaping special characters.

My recommended fix would include adding tests that verify the results of the email output including a variety of special characters.

If you email me at the address associated with this account, I'll provide my Github handle and you can credit me on your branch.

---

1Password Version: 6.3.2
Extension Version: Not Provided
OS Version: OS X 10.11.6
Sync Type: Not Provided

ag_kevin

Hi @tuna_hp ,

At first glance, it looks like you are correct. The URL to add the item to 1Password appears to be properly encoded, but the entire content itself is not. The most common mail app is Mail, of course, and it accepts the unencoded + ok, but it appears Thunderbird, and obviously, a Chrome GMail window, does not.

Thanks for taking the time to report this. I have raised issue OPM-4375 in our tracking database. I don't have an exact date when it will be fixed, but it is posted in the database now so it will be looked at.

Also, to clarify a bit about your "you no longer encrypt the email message". 1Password never did encrypt items shared via mail. It was obfuscated, but never encrypted. Otherwise, the recipient would have needed a passphrase to decrypt it, and you would need a separate, secure and verifiable way to send the passphrase to the recipient. We did not want to give a false sense of security to our customers, so now we send the plain text along with the obfuscated URL so they are reminded it is not encrypted.

Cheers,
Kevin

ref: OPM-4375

dpwct

can you explain how to share passwords when using the various versions (individual, team, family), and what has changed since previous versions). When I try to share I get the message "Sharing your items outside of 1Password sends them in plain text. Please be confident in the security of the method you use to share." Is there a more secure way to share these?

jpgoldberg

Hi @dpwct,

I do realize the the (apparent) changes in sharing can be confusing, but hopefully this will help:

1. Item sharing (Email, SMS, etc) has never been encrypted, only obfuscated. The change we introduced last Spring was to make this fact more clear to people so that they can make better decisions about what to share or not and how.
2. Sharing within Teams and Families is secure, as the data will be encrypted with the public key of the recipient. This has always been the case with Teams and Families, but Teams and Families are relatively new.

dpwct

Looks like I should get family or teams account , can you explain the differences (other than price and # of users)
between family and teams

Ben

@dpwct,

Sorry for the delayed reply.

1Password Families is only available to folks looking to use 1Password for personal use. When using 1Password within a business 1Password Teams is the way to go. Families can also use 1Password Teams, but there are few that take this route.

1Password Teams has more advanced options for controlling the permissions users have. With 1Password Families the choices for levels of access (pre vault) are: none, read, and read/write. With 1Password Teams the permissions are much more granular. There are also some additional features with teams such as custom groups (where families don't tend to have enough people to consider groups), activity logging, and custom roles, all build around the needs of businesses.

The two are not generally talked about in the same context as they have totally different audiences. Families should use 1Password Families and everyone else should use 1Password Teams. :)

Ben