Skip to main content
June 26, 2024
Question

Autofill now immediately submits (enters) (feature becomes bug)

  • June 26, 2024
  • 16 replies
  • 752 views

I'm using 1Password browser extension on Mac in Brave browser.
On a login page, when you click the cursor to the user name or password field, the extension pops up with a guess of the related entry.

In the past, when you selected the entry, the extension would fill the appropriate fields and stop. The user then would click "log in" or "continue" etc.

With the latest update, now when the extension fills out the fields, it AUTOMATICALLY hits "submit" or "enter" to log you in.
I get that the intent is to save you having to click again, and potentially saving you a click.

BUT, the unintended consequence of this change is that now I an UNABLE to tick/untick any boxes or make any selections after the extensions fill out the fields. For example, Xero asks for user name then password. Then the next screen asks for the OTP from 1Password. It is only on that screen that the option to "trust this browser" appears.
But because 1Password is now filling out the user name, password, clicking "log in" then on the next screen immediately filling out the OTP and clicking "next", I have no opportunity to click "trust this browser." Annoying.

And just now on Amazon, there was some option ticked, but after 1Password filled out the user name/password/OTP I didn't have any opportunity to select/deselect, and now it seems I have created a passkey for Amazon, which I didn't intend to do.
Very annoying that the extension didn't give me time to review anything before submitting the OTP.

Please either make this a user-selectable option to auto-enter after filling out the fields, or revert back to NOT automatically submitting after filling out the fields.


1Password Version: 8.10.34
Extension Version: 2.25.1
OS Version: Sonoma 14.5
Browser: Brave

16 replies

1P_Tommy
1Password Employee
June 29, 2024

@jimz

You/she should see something like this the first time you open the extension. I'm sorry you had trouble. Is this with something (site) specific? If so, I can submit a report. I have shared your message here with the team verbatim. I'm sorry for the experience you had.

June 29, 2024

@1P_Tommy No worries about me, I turned the feature off and over the last few days the number of captchas that I've had to fill have been decreasing pretty steadily. Google is a black box so I couldn't confirm anything until I got the email that straight up said that failed logins were having an affect but it was hard to miss the correlation after a few days of the feature going live. ReCaptchaV2 is still prevalent but the invisible v3 getting at least some adoption helps, but oddly Google's flagship product - search - still uses v2, which amplified the effect. However as long as a site didn't happen to expire my session - and didn't offer a native app on mobile that incorporated faceId or biometrics as login - I was fine. I saw the pop up box but wasn't really sure what behavior to expect, and I guess I also assumed that it would wait for any captcha to be filled since the captcha response would be part of the POST request for the login, even if the process really involved an additional request to obtain the token - I suppose I had simply assumed that by credentials it meant the entire request for the login flow, since logically even if it happens under the hood any anti-bot/credential stuffing mechanism, however ineffective it is in practice, would be part of the credentials in a sense for the login, as it tends to be a Chekov's Gun for websites - if it's coded into the page, the login likely is going to use it, even if it makes little sense to do so.

Actually, as a side note, the fact that one small change is able to cause all sorts of inconveniences mostly from systems designed to provide in broad terms "security" shows in stark terms how poor the heuristic methods being used really are and how much it relies on assumptions. I'm sure there are assistive technologies for the disabled that are just as able to trip up technology that in some cases can be quite costly to implement yet in the end are both easily circumvented and also easily triggers false positives by the ton. My background is a legal one and out of everyone at my relatively small law school graduating class I'm the only person I know who had a tech-centric skillset and made a conscious choice not to go into IP/in house practice (mostly because I had moral objections in equivocating intellectual and real property rights, I went into criminal and public interest law instead as they affect the liberty interest of my clients). It's pretty jarring how big of a gulf exists between the two worlds and how much reliance on tech illiteracy versus legal illiteracy is involved in practice - as in, attribution made either in bad faith or ignorance in regards to whether an IP address can be directly linked to a specific individual and their actions and intent at a specific time, or an address on a blockchain to a single person, backed by "expert" testimony that clearly was vetted by attorneys either too cynical or too lacking in knowledge of the technology to properly cross examine. Even as a law student during spring break I found myself essentially picking a jury for a first degree murder trial by simply looking at public facebook profiles and picking out those who claimed no relationship to law enforcement when their social networks stated otherwise, and when it resulted in a hung jury the prosecutor simply scheduled retrial on the same evidence during the two weeks of my finals on the same evidence, and got a guilty verdict. I'm no longer actively practicing - fortuitously some stupid internet joke managed to somehow enable me to retire before most of my classmates have paid off their loans - but if nothing else it had only gave me more time to look at how flimsy assumptions are treated as ironclad truths that set the groundwork for precedent, ranging from a series of cases where the court failed to note that jurisdiction is established based on geolocation of Cloudflare IPs (so of course they appear to be purposefully availed to be located in the US, the word 'Anycast' never appears in the docket) to the FBI taking a 2 year delay on blockchain analysis based on one objection to obscure the fact that attribution data is effectively entirely crowdsourced, ending up with both sides arguing the wrong issue. Bots can't be charged with a crime, of course, as code is not a real person, but OFAC absolutely thought that a deployed smart contract was a person and it took 5 months for them to figure out a way to explain how they appeared to sanction a smart contract that is literally two metaphors and exists in sync around the world without an operator. I'm curious as to whether this case where a small, seemingly insignificant alteration can create a self-perpetuating misidentification loop ever becomes an example of how far from "beyond a reasonable doubt" some of the evidence admitted can really be if understood correctly. Since the admission of evidence happens in front of a judge and not a jury, it's very much down to whether the judge has a proper understanding of what tech is able to and isn't able to ascertain with almost certainty. Bad forensic science have certainly led to innocent people being executed (Cameron Todd Willingham perhaps the best known example), but even with lower stakes, illustrative examples help far more than mere technical - or technical-sounding - explainers. Perhaps something helpful can come out of this, at some point, since the amount of snake oil in cases of consequence is so often treated as the genuine cure in cases of great importance at trial when anything vaguely technical is part of the evidence. Here's to hoping, although I can't say I'm holding my breath. The best trial attorney I worked for had me print out his emails for reading as recently as 2014.

Cheeers

markesydAuthor
July 4, 2024

@1P_Dave

I have sent the email as requested.
The support ticket ID from the bot is: NPZ-45529-153

I don't recall seeing the popup verifying the addition of the passkey for Amazon, but to be honest, it all happened so quickly I couldn't read everything as it refreshed. But when I check the entry for Amazon in 1Password, it shows passkey created 26.Jun.24, which I did not specifically authorise.

Also, contrary to your comment and @1P_Tommy 's post, I did not receive a verification notice that the feature had been added or implemented. I just noticed that suddenly 1Password was autosubmitting. I didn't specifically enable it, it just happened. Potentially with the update on 11.Jun for MacOS?? Seems others didn't receive the popup as well...

1Password Employee
July 5, 2024

@markesyd

Thanks for sharing the Support ID! I've located the ticket and can see that a member of the Support team has replied. Let's continue the conversation over there in order to prevent having the same conversation in two different places. 🙂

-David

ref: NPZ-45529-153

somegirl
July 8, 2024

I just came to the forums to see if I was the only one taken by surprise by this. I'm quite sure I never got that notification popup about the new feature; the first few times it auto-submitted I thought maybe I was imagining things. But tonight, after I got stuck in a loop on a site with a CAPTCHA, I had to go looking for what I guessed must have been a new setting. (I found it, and I disabled it.)

I will leave it off, and that's fine. But even better would be to enable it or disable it on a site-by-site basis. Me personally, I'd be likely to leave it off in the main setting because it trips up on too many sites. But it would be handy to enable it for some sites that I use a lot and that I know won't have a problem with it.

1Password Employee
July 8, 2024

@somegirl

Thanks for sharing your experience, and I'm sorry that the auto-submit feature has caused some trouble when logging in on certain websites. Our development team is looking into improving how the auto-submit feature works with pages using CAPTCHA, so I've shared your experience with them.

I've also shared your request for the ability to enable or disable the feature on a site-by-site basis with our Product team, so that they can take it into consideration.

Let me know if there's anything else I can help with!

-David

ref: dev/core/core#29636
ref: PB-40825449