Serious autofill bug - filling wrong login
I've been seeing some very strange behavior where logins sometimes get autofilled with the wrong entry and I've been able to replicate at least one cause and it's very concerning.
Have a tab open with a login page waiting to be autofilled.
Open a new blank tab.
Hit command+\ from the blank tab.
Nothing happens in the blank tab, but if you go back to the first tab it will autofill a login, but not the correct login. I believe it's taking the first login it sees from the Quick Access list and applying it to that login page. This of course fails because it's not the correct login.
1Password Version: 8.8.0-165
Extension Version: 2.3.6
OS Version: macOS 12.4
Browser:_ Chrome: 103.0.5060.53
Comments
-
I am seeing exactly the same problem, and I have more information.
A few days ago, I tried to login to the administrative page on my router (which is named Rahonavis) using a saved login. Unlike the other 100+ times I've done so this month that succeeded without a problem, I received this message:
"1Password can't verify that Google Chrome should have access to your Rahonavis item. Do you want to fill it anyway?", with the options: "Fill once," "fill & update login," and "cancel."
Not understanding why I was suddenly seeing this dialog (perhaps the first time in my 7+ years of using 1Password!), I clicked "Fill & update login." To my surprise, from that point forward, 1Password autofilled every page with the login credentials for Rahonavis on the first attempt. That included Amazon, Gmail, Dropbox - even the login for 1Password.com.
I opened 1Password and checked out the login for Rahonavis, and found that that login (and only that login) included a new field that read: Linked Apps: Google Chrome. I deleted that entry, and Chrome stopped using Rahonavis for all entries.
However, that isn't the end of the story, and I am still having major issues, for this reason: every login is exhibiting some weird behaviors involving this dialog.
Here is a complete description of the problem:
1) Initially, when I visit a login web page (one that 1Password has previously been able to autofill without any problem) and hit the Autofill button, 1Password does not recognize the page and autofill the fields. Instead, 1Password pops up the generic "select a login" dialog with no entries suggested.
2) A few moments after 1Password displays the "can't verify" dialog, the actual web page often inserts the "autofill" suggestion bubble attached to the textbox on the page with the correct login suggested. (This is super-weird, since 1Password failed to suggest the correct login mere seconds prior when I hit the Autofill button.)
3) When I select the correct login through that box, I now receive the message: "1Password can't verify that Google Chrome should have access to your ___ item," with the options: "fill once," "fill & update login," and "cancel."
4a) If I select "fill & update login," 1Password now uses those credentials by default on every website. If I autofill again on the same web page, 1Password often replaces the initial (incorrect) credentials with the correct credentials for that website. I can stop this behavior by removing the "Linked Apps: Google Chrome" field that was added to the login.
4b) If I select "fill once," the dialog goes vanishes, 1Password autofills the form, and (I think) 1Password stops presenting the "can't verify" message... but only for that login. Other logins that I haven't used in a while are still subject to this.
4c) If I select "cancel" and try again, 1Password shows me the "can't verify" dialog again.
4d) If I select "cancel" and instead click the autofill bubble attached to the login textbox, 1Password autofills the form just fine. But if I logout and hit the Autofill button again, I go right back to step 1 above.
I will note that I didn't change anything in 1Password to provoke this behavior. The logins didn't change, my configuration didn't change, etc. However, a few days ago, I dumped my Google Chrome cookies (while addressing an unrelated tech issue with a particular website). If 1Password lost anything due to that dumping, then it is not handling the consequences gracefully. I have tried uninstalling and reinstalling the 1Password Chrome extension, but nothing changed as a result.
My guess is that a 1Password software update has altered its security behavior in unexpected ways and is creating havoc for me and, possibly, other users.
I put in a help request, documenting much of the above, and tech support is looking into it. No response yet.
Finally, I will note that this behavior is serious and concerning for two reasons:
1) 1Password is presenting a security dialog in some contexts while simultaneously offering to autofill the credentials. Is there a problem with 1Password's security being circumventable in some circumstances?
2) 1Password is autofilling pages with the wrong credentials! I don't want Amazon to have my Gmail password, nor vice versa.
0 -
Thank you! Removing the Linked App fixes my major problem, but I also concur with everything else you found. The behavior of Autofill is very degraded from the nearly seamless behavior with 1Password 7. :(
0 -
Hi @Jeff Leigh / @tambo:
This is something we're actively aware of, and hope to have a fix out soon. In the meantime, removing the Linked App in the affected Login item would be your best bet.
Jack
0 -
Is this something that's fixed in the 8.9.0 beta? I have been experiencing the same very scary behavior as tambo above, am trying the beta now, and it appears resolved so far in just a little bit of testing.
0 -
Hi @zigg / @Jeff Leigh / @tambo:
Yes, that's correct, the behavior that caused the browser you're using, rather than the website you're on to be detected for filling has been resolved. The fix is currently in the nightly as well as the beta releases. You can get started with the beta releases here: Use 1Password beta releases
Jack
0 -
I'm seeing the same behaviour - for every web site I try and log in to, Autofill now enters my Google credentials rather than those for the web site I'm visiting.
I think this is happening because my Login for Google in 1Password has a linked app: "Google Chrome". This happened because I earlier tried to use Autofill to log in to Google Chrome.app (the browser app itself, not a web site), and 1Password complained that the app was not associated with any Login. One of the options was to update the Login to make the association, and when I did that, "Google Chrome" appeared under Linked apps. This allowed me to successfully use Autofill to log into the Google Chrome browser.
But now 1Password seems to think that every web site I visit in that browser is Google Chrome, and tries to use my Google credentials to log in to the web site!
This seems like a serious bug because my Google credentials have now been exposed to many other unrelated websites. This is especially concerning given that Google is used for Gmail - and therefore functions as "root of trust", since most services use email for their credential reset flows. I do not want a "root of trust" credential sprayed out to dozens of unrelated web sites.
It's great that a fix is on the way - but I don't have time to mess around betas. Nor do I want to go through the hassle of disassociating my Google Login with Google Chrome.app and then figuring out how to re-associate it.
I just want the fix. When is it coming?
0 -
Hi @semblance:
Editing your Google login and removing the linked app of Google Chrome would be your best bet to avoid your information being inadvertently filled. We generally don't share release dates, but I would expect to see the fix in our next production release of 1Password for Mac.
If you'd prefer to not install the beta build of 1Password for Mac, relying on 1Password in the browser rather than using the Autofill shortcut should avoid this situation until we release the next production release of 1Password for Mac.
Jack
0 -
Makes sense, thanks @Jack.P_1P
0
