Open & Fill mangling URIs - appending query string - garbage or security issue?

Hi @volts, 👋 thanks for the question. I'm happy to say there's no security problem here. Also, I admire your eye for detail!

Your points under "Observations" here are correct to my knowledge, as well as the fact that 1Password 8 is appending strings to URLs when you use Open and Fill as you've described. So what's going on here? Let's work through your questions:

Am I doing something really dumb?

Nope. You're fine. 👍

At first I thought this was a Quick Access bug, but it's happening in the main app too.

That's true, and it's by design.

This happens in multiple browsers

This is actually good! It means the feature is working.

This does not happen in the browser extension

This is also true, because the browser extension doesn't need to do it. I'll explain more on this momentarily. Let's go to the big question:

Is there a security problem - what is this information?

No, there's no security problem. What's happening here is that, when you press Open and Fill, the 1Password app passes the string into your browser, which acts as a secret reference to the browser extension to tell it what to fill.

In effect, it's the app's confidential way of saying, "Hey, browser extension. Grab this item off the shelf, and put the username and URL into this particular website." And because of the way this is handled, Open and Fill can do this without disclosing anything about the nature of the item itself - the string conveys no confidential data.

This is the implementation we use to make that functionality work in 1Password 8, and for the most part it seems to work really well (although there are edge cases where websites don't like the appended URL, and won't let a user sign in using login information filled from Open and Fill. This is pretty uncommon so far, from what we've seen, but in this case, the best approach is to fill from 1Password in your browser directly, as you would if you were just browsing around with the extension unlocked and letting it fill logins for you per usual).

And the reason that these URL strings don't appear when you're using the extension is that it doesn't need them, because it's already connected to the 1Password for Windows app and it pulls the relevant information based on the URL you've browsed to. By contrast, Open and Fill is a proactive action taken from within the 1Password for Windows app, sort of the equivalent of saying, "Go to this website and put the login in now, even though we're not currently on the page."

So suffice to say, 1Password isn't accidentally leaking data or anything like that when you're seeing this happening. It's just how the apps provide an informational reference to make sure the right login info gets filled in the site. I hope this is helpful!

Hey @volts:

Thanks for your additional feedback. While I can't promise anything, I've shared your specific concerns about de-anonymization with our product team.

Jack