Fill weak matching may paste username / email into random input text field
Splitting this off from: https://discussions.agilebits.com/discussion/comment/433720/#Comment_433720
If there are no password input fields on a page then 1Password fill may leak your username / email address by pasting it into a random text input field on the page.
The saved URLs and web form details are simply ignored with this weak matching.
There is no option to specify that the saved page URLs and web form fields must be honoured for high security sites.
Go to any site which does NOT have an embedded login form with an input password field in the page.
Save a login on the actual login page eg that might be /login with fields username and password in saved form details.
Logout and attempt to use fill on any page other than the /login page.
1Password will paste your username / email address into a random input text field on the page not caring about the consequences.
Sometimes this might be a hidden field or off screen that you cannot see so it look like 1Password did nothing.
This could also be a third party component like a search form using an external API for auto complete. 1Password just leaked your username / email to a third party server as a search term.
Another example is multiple accounts on the same server or multiple services on subdomains.
If you happen to have a shared Google Doc open and you try to fill a different Google login thinking 1Password would open your saved login URL (or even just clicked / double clicked accidentally in mini) then 1Password will paste your username / email into the Google Docs title instead leaking it to everyone including anonymous people using a public link.
This kind of guessing logic is just dangerous for a security product even if you have checks which try to avoid scenarios like search fields. You can't check for every possible language and naming convention.
There should be a high security option for logins that disables this kind of weak matching.
1Password Version: 7.0.1
Extension Version: 4.7.1.4
OS Version: OS X 10.13.4
Sync Type: Not Provided
Comments
-
Agreed. I started a thread on the non-beta forums about this (on mobile so I can’t link right now but just look at my profile). This is a serious issue that I can’t believe AgileBits is casually dismissing
0 -
-
I'm going to close this thread, you can keep the conversation going in the one that you've cross linked. Multiple threads only spreads the CS team thin because they have to reply to each one individually.
Rudy
0