Skip to main content
June 26, 2024
Question

Autofill now immediately submits (enters) (feature becomes bug)

  • June 26, 2024
  • 16 replies
  • 752 views

I'm using 1Password browser extension on Mac in Brave browser.
On a login page, when you click the cursor to the user name or password field, the extension pops up with a guess of the related entry.

In the past, when you selected the entry, the extension would fill the appropriate fields and stop. The user then would click "log in" or "continue" etc.

With the latest update, now when the extension fills out the fields, it AUTOMATICALLY hits "submit" or "enter" to log you in.
I get that the intent is to save you having to click again, and potentially saving you a click.

BUT, the unintended consequence of this change is that now I an UNABLE to tick/untick any boxes or make any selections after the extensions fill out the fields. For example, Xero asks for user name then password. Then the next screen asks for the OTP from 1Password. It is only on that screen that the option to "trust this browser" appears.
But because 1Password is now filling out the user name, password, clicking "log in" then on the next screen immediately filling out the OTP and clicking "next", I have no opportunity to click "trust this browser." Annoying.

And just now on Amazon, there was some option ticked, but after 1Password filled out the user name/password/OTP I didn't have any opportunity to select/deselect, and now it seems I have created a passkey for Amazon, which I didn't intend to do.
Very annoying that the extension didn't give me time to review anything before submitting the OTP.

Please either make this a user-selectable option to auto-enter after filling out the fields, or revert back to NOT automatically submitting after filling out the fields.


1Password Version: 8.10.34
Extension Version: 2.25.1
OS Version: Sonoma 14.5
Browser: Brave

16 replies

1P_Dave
1Password Employee
June 26, 2024

Hello @markesyd! 👋

I'm sorry that the new autosubmit feature is getting in the way. You can turn off autosubmit by following these steps:

  1. Open your browser.
  2. Right-click on the 1Password icon in your browser's toolbar and click Settings.
  3. Click Autosave & fill.
  4. Turn off "Sign in automatically after autofill".

Are you able to tell me the address of the websites where you ran into this issue? I'd like to pass along your feedback to the team.

-Dave

Baz
June 27, 2024

Dave,

This started for me today as well. It was happening on every website. The browser extension's "Sign in automatically after autofill" was already deselected. I had to toggle it on and off to fix this behavior.

Perhaps this was related to the fact that I have "Offer to fill and save passwords" turned off. I had to temporarily enable that to gain access to the autofill control to do the on/off double toggle.

Barry

1P_Dave
1Password Employee
June 27, 2024

@Baz

Thank you for the report, I'll keep an eye out for reports from other customers and investigate further to determine if there's a bug that needs to be fixed. Let me know if you run into any further issues, I'm sorry for the inconvenience.

-Dave

June 27, 2024

I'll add a +1 to this. The browser plugin auto-updated with this feature, and suddenly my corporate SSO is failing every single login when this feature is enabled.

markesydAuthor
June 27, 2024

@1P_Dave thanks for the clear instructions to disable this feature. I would've rather you had a pop-up asking about it or notifying that it can be disabled, rather than just implementing it and having it inadvertently causing issues for some users.

The main sites I had issues with were Xero and Amazon.

1P_Dave
1Password Employee
June 28, 2024

@wcmorrell

I'm sorry that you're unable to sign in using your corporate SSO. Would you be able to share a few more details about the issue:

  1. On which website are you running into this issue?
  2. Do you see a specific error message?
  3. What SSO provider is your organization using?

-Dave

1P_Dave
1Password Employee
June 28, 2024

@markesyd

Thank you for the feedback, the first time that you use the autosubmit feature you should see a pop-up that looks like this which includes a button to turn the feature off:

Regarding Xero, would you be able to collect the structure of the page that has the "trust this browser" option after you've disabled autosubmit?

  1. Open the website in question until you can see the "trust this browser" option that you're referring to.
  2. Right-click on the page and click "1Password - Password Manager" > Help > Collect Page Structure.

Attach the resulting JSON file to an email message addressed to support+forum@1password.com.

With your email please include:

You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

Regarding Amazon you wrote:

I didn't have any opportunity to select/deselect, and now it seems I have created a passkey for Amazon, which I didn't intend to do.

A passkey won't be saved to 1Password without you choosing to save the passkey through a prompt that looks like this:

Do you recall seeing this prompt and choosing to save a passkey for Amazon?

-Dave

June 28, 2024
  1. Issue occurs for every site with auth going through SSO.
  2. The error page is for issues redirecting the auth back to the application—it’s customized to warn about bookmarking only the desired application URL and not the login URL.
  3. The SSO setup is using a combination of Cloudflare interception, redirecting to custom Shibboleth solution. I am not super familiar with the exact setup details. I can send contact info for the responsible team privately.
1P_Tommy
1Password Employee
June 28, 2024

@wcmorrell

Sure. We'd be happy to hear from you. Please email us using support+forum@1password.com. Be sure to use the email address tied to the account in question.

June 29, 2024

Hi, just like to report pretty much the same experience, with the added bonus that because the submission is happening on pages that requires captcha (especially hCaptcha and reCaptchaV2), it's creating a doomloop of captcha problems. I'm already for whatever reason bad at solving captchas and this is making logins a complete nightmare. Once you get into the captcha doomloop, at least on the same device, even the workaround of completing the captcha first and then fill in the details doesn't stop the massive amount of captchas I now have to fill. I don't know how long this persists but even a typical Google search requires (as I counted) up to 9 separate captchas before it would go through. To avoid all that, I've temporarily switched browsers and am using an ssh tunnel to a completely different ip which, because it's an ip on a server I'm renting for something else, still tend to trigger captchas, but at a far lesser rate than my normal home connection, ironically.

I've isolated it to the autosubmission because I managed to get banned from a site that has such a login feature and when I emailed to ask, the response was that I had a lot of failed logins sent without a captcha response. I've been unbanned thanks to the email exchange, but this is not really a sustainable solution for every site that has a setup like this. From the server side it would look a lot like a clumsy credential stuffing attack and not every site has responsive operators - some would straight up ban the ip and/or account for a time period. On eCommerce sites that operate on a "drops" like queue system to prevent bots it would more or less prevent me from ordering the item because this is effectively mimicking some poorly programmed browser automation behavior. I realize that front-end designers have a variety of login flows and it'd be difficult to test how the feature would interact with anything that is at all not a straight up template, and as someone who works exclusively on the backend when it comes to projects involving any sort of web applications I've long attempted to get the message across - in vain - that for the most part design choices don't really work to stop bots and attacks of that nature because anything client-side can eventually be reverse-engineered and anything a human can do can be emulated and with a first-mover advantage to boot. I don't know whether to laugh or cry that as it turns out, the login flows do stop a certain type of accessor, just not a bot but me. Now I have to seriously consider just offloading captcha solving to one of the myriad of services that outsource the manual work to someone in the global south for pennies until my ip is no longer considered malicious by the black box algorithms that determine the trustworthiness of my home connection.

I don't know if I'm an edge case or not since it's hard to judge the ratio of complaints versus people actually affected, but it appears that at least some illustrative warning needs to be implemented at least before users opt-in to the feature. I'm fortunate that I can triage and diagnose the problem on my end fairly quickly and browsing actual web sites is not a significant part of my work, and can mitigate if not eliminate a lot of the pain points to a large degree. But just as my first reaction when weird things start to happen is to pop an ssh tunnel and start to eliminate causes by spinning up VMs, if it's my mom who starts to experience all this (she luckily is in China for now where logins are kind of worthless because private property ultimately doesn't exist and so everything is tied to QR code based login systems, vulnerable for a whole other reason), I'm pretty sure that I'll end up losing 2-3 hours of productivity trying to triage the problem without any vaguely jargon-like language, and possibly the ten years of pestering her to use a password manager might just go out the window. That would really be the worst result, no?