Security Issue with Autofill?

Options
hayduk
hayduk
Community Member
in 1Password in the Browser

Hi Everyone,

i came across an article on https://www.bleepingcomputer.com/ in regards of security issues with Bitwardens Auto-Fill Feature. Now I'm curious if we have a similia issue with 1Password Browser Extension.

https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/

As far as i would understand the situation with Bitwarden, is that the Browser Extension from Bitwarden will auto-fill Login Credentials without any user interaction if you enable that feature.

I don't see the issue with 1Password because you must select the item you want to use for sign in. But as described in that article a malicious iframe can also capture the login credentials if you select an item. I'm also not sure if the default configuration for auto-fill or selection of items will cause a problem because 1Password will offer the login on ALL host of a domain.

Maybe someone can clarify the situation for 1Password.

Regards
Stefan

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • steph.giles
    steph.giles
    Options

    Hi @hayduk,

    I appreciate your concern and applaud you for taking your security so seriously. 1Password will not fill your information into any form without you telling it to do so by either clicking on the inline menu suggestion, using a keyboard shortcut or by using 'Open and Fill'.

    The setting above is determining where exactly 1Password will show you the suggestion to fill however the above still stands for requiring your interaction to fill and submit these details.

    You can find out some more information on these settings in this guide: Change where a login is suggested and filled.

    I hope this helps, please let us know if you have any questions!

  • hayduk
    hayduk
    Community Member
    Options

    Hi @steph.giles ,

    thanks for your Response. In the original analysis of Flashpoint they also mention an attack vector where it is possible to crab the credentials after a user manually autofill the credentials.

    https://flashpoint.io/blog/bitwarden-password-pilfering/

    As specially I would like you to have a look at the following part of the Report:

    "As mentioned before, if the ‘Auto-fill on page load’ option is enabled, no further user interaction is required. However, we confirmed that if the user fills a login form via the context menu, forms embedded in iframes are filled as well."

    Is that something where 1Password also protects from?

    Kind regards
    Stefan

  • Joy_1P
    Joy_1P
    1Password Alumni
    edited March 2023
    Options

    Hi @hayduk! We do fill iframes, but we check the URLs of the individual frames every step of the way to make sure that the item in question can actually fill. If the login form is in an iframe that has a URL that doesn't match the one in an item, we'll fill nothing at all.

    In regards to filling on subdomains, I want the clarify that we consider that working as intended, unless the base domain is on the PSL (public suffix list).

    If a hosting provider does this:

    Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page

    They would need to do their due diligence and submit their root domain to the PSL so that we (and also browsers) know to treat subdomains as distinct security contexts. Almost all of the web operates under the assumption that subdomains of a website are "trusted" in some way, unless the domain they're a sub domain of is on the PSL.

This discussion has been closed.