Autofill has serious security issues

Hey @ilolita ,

1Password uses a combination of field focus, the original details of the fields themselves when the login was originally created and the internal "brain" of 1Password that reads the page and makes educated decisions on where it should and shouldn't autofill to make sure we fill in the correct fields and not in any other fields

Did you personally encounter a website where 1Password autofilled wrong/malicious fields? Was the login item recorded directly from the page or was it created manually through the 1Password app? Are you able to share a link to such a website so we can test and investigate the issue?

Hello @ilolita,

That is a really fine paper, and the authors shared prepublication drafts of the paper with us. Research like this is extremely valuable to us, and it is also why someone from 1Password has attended Usenix Security most years over the past six or seven years. (Of course Usenix Security this past year was held entirely on line.)

In the loop

One thing that you will note is that 1Password always requires some user action (even if it is just ⌘-\ or Ctrl-\ ) before filling and we always have.

This is because from the outset, we have been aware of these kinds of threats. This is acknowledged in Sean and Scott's paper, for example with

KeePassXC, 1Password X, Dashlane, and LastPass autofill within same-origin iframes, leaving them vulnerable to clickjacking attacks. Bitwarden and RoboForm also autofill within same-origin iframes, though if user interaction is required they are largely immune [emphasis added] to clickjacking as this interaction happens outside of the website inside the extension drop-down.

With 1Password user interaction is required for filling. Always has been, always will be. We also do not allow cross-origin iframe filling. This means that when the tells 1Password to fill a page, the user knows what page really is being filled.

A few years ago, attacks like that hit the news, and I we up a bit about it in 1Password keeps you safe by keeping you in the loop. That is what addresses your primary concern, and is reflected in the "Interactions" column in their table 7.

Other points

Some of the other things that are mentioned in table 7 are the result of design choices and interactions. You will note that no password manager respects autocomplete=off (as banks tend to use that setting to actually discourage use of password managers). And others involve trade-offs and interactions, as when 1Password X performs the filling depends on what sorts of checks it can perform. In fact, 1Password analyzes the page twice. Once when identifying which logins it knows about that match the page and again later, closer to form submission time, to make sure that the page hasn't changed in the meantime. So there are a lot of fairly complicated interactions among these.

There is a division of labor between the browser and 1Password X for a few things. For example, the 1Password browser extension doesn't know whether there is a bad certificate for a site, but the browser does. So we have to ask the user to pay attention to browser warnings and not fill into sites that the browser tells you may be inauthentic. This, by the way, is another place our insistences on user interaction plays you: 1Password will never give up any of your secrets simply by you visiting a site.

I hope that this helps. And we will continue to work with the academic research community on the security of 1Password. And I really hope that I will be able to physically attend Usenix Security (and SOUPS) this year.