1Password Chrome extension aggressively filling in credit card numbers

Options
kasima
kasima
Community Member
in Mac

I've been finding that 1Password as been filling my credit card number in too many fields as of late. This was happening with github.com (but has been fixed) and now I'm seeing it on avangate.com as well.

It's scary that my credit card might end up in some unencrypted field without me noticing. I hadn't seen this problem until a few weeks ago.

Comments

  • kasima
    kasima
    Community Member
    Options

    This is also happening with Paypal, on their credit card form. It fills in the Home Phone Number with the credit card number. Given how popular 1Password is, this is probably a non-trival exposure.

  • sjk
    sjk
    1Password Alumni
    edited June 2014
    Options

    Hi @kasima,

    Thanks for reporting this problem. We're aware of other cases like this with inaccurate credit card number filling on PayPal checkout forms and are working on a fix. I'll let the developers know there's similar trouble with avangate.com. Do you have a more specific URL there where it's happening? Also, which version of the 1Password extension for Chrome are you using when it does?

    Thanks again!

    .

  • daviddemello
    daviddemello
    Community Member
    Options

    I also experience this problem at https://www.rivbike.com/one-page-checkout.asp . You can get there by adding anything to your cart and checking out using guest checkout. If I position my cursor in the credit card field CreditCardNumber and autofill my 1Password-saved creditcard info, it will fill in all of the credit card fields correctly, but it will also paste my credit card number into the phone fields of the billing and shipping address. Those fields are named BillingPhoneNumber and ShipPhoneNumber respectively, which doesn't provide any indication as to why 1Password would mistake them for credit card number. Also, I don't think it's the fault of the form itself or any JavaScript it has running. I've tried pasting the ccn manually and then tabbing to the next field and it doesn't update the phone number fields in that case.

    Good luck resolving this. It's made me pretty paranoid about using the feature. What if the shadow ccn-receiving-field were hidden?

  • sjk
    sjk
    1Password Alumni
    edited June 2014
    Options

    Hi @daviddemello,

    Thanks for the detailed report. I am able to reproduce this bug with version 4.2.1 of the 1Password extension, yet fail to with 4.2.2.BETA-4 which has ‎this fix:

    [FIXED] Fill credit card and identity no longer allows a field to be filled into multiple input fields.

    The 4.2.2 extension update should be out of beta soon.

    Or if you'd like to give the beta a try, open the 1Password Extension page in your browser, then select Enable betas before clicking the big green Install button. With Chrome, make sure it's the only extension enabled on the chrome://extensions page. Then restart the browser. Reverting to the stable release is relatively easy by reinstalling/reenabling it and removing/disabling the beta (depending on the browser). :)

This discussion has been closed.