Only last two octets of IP address checked for filling

alexiaa
alexiaa
Community Member
edited December 2018 in 1Password in the Browser

When filling on websites with an IP address, only the last two octets are considered, so if there's a login for http://192.168.0.1/, it's detected as having a hostname of "0.1". It works fine on 192.168.0.1, but it will also be filled on any other IP ending on "0.1". This is confusing and it's a potential security risk (though the extension doesn't seem to autofill logins without user interaction). I haven't tested IPv6 but that should probably be checked as well.

1Password Version: Not Provided
Extension Version: 1.13
OS Version: Windows 10
Sync Type: my.1password.com

Comments

  • cecelia
    cecelia
    edited January 2019

    Hey @nyuszika7h

    Thanks for reaching out and sharing this feedback and your concerns. ❤️

    Though it appears to be a security issue, this is really a display issue. Although login items will be suggested on other IPs ending with 0.1 they will not fill as that IP wouldn’t be included in the 1Password item's allowed domains list. In other words, an item with a website of https://192.168.0.1/ will not be allowed to fill on https://1.1.0.1/. This is thanks to our friendly execute fill script matching the hostname that we are filling on to the allowed domains list.

    That being said, I'm sorry for the disruption this has been to your workflow. I have gone ahead and reported this to my team so we can get started on a fix right away.

    ref: xplatform/security#8

This discussion has been closed.