It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Serious autofill bug - filling wrong login
I've been seeing some very strange behavior where logins sometimes get autofilled with the wrong entry and I've been able to replicate at least one cause and it's very concerning.
Have a tab open ...
I am seeing exactly the same problem, and I have more information.
A few days ago, I tried to login to the administrative page on my router (which is named Rahonavis) using a saved login. Unlike the other 100+ times I've done so this month that succeeded without a problem, I received this message:
"1Password can't verify that Google Chrome should have access to your Rahonavis item. Do you want to fill it anyway?", with the options: "Fill once," "fill & update login," and "cancel."
Not understanding why I was suddenly seeing this dialog (perhaps the first time in my 7+ years of using 1Password!), I clicked "Fill & update login." To my surprise, from that point forward, 1Password autofilled every page with the login credentials for Rahonavis on the first attempt. That included Amazon, Gmail, Dropbox - even the login for 1Password.com.
I opened 1Password and checked out the login for Rahonavis, and found that that login (and only that login) included a new field that read: Linked Apps: Google Chrome. I deleted that entry, and Chrome stopped using Rahonavis for all entries.
However, that isn't the end of the story, and I am still having major issues, for this reason: every login is exhibiting some weird behaviors involving this dialog.
Here is a complete description of the problem:
1) Initially, when I visit a login web page (one that 1Password has previously been able to autofill without any problem) and hit the Autofill button, 1Password does not recognize the page and autofill the fields. Instead, 1Password pops up the generic "select a login" dialog with no entries suggested.
2) A few moments after 1Password displays the "can't verify" dialog, the actual web page often inserts the "autofill" suggestion bubble attached to the textbox on the page with the correct login suggested. (This is super-weird, since 1Password failed to suggest the correct login mere seconds prior when I hit the Autofill button.)
3) When I select the correct login through that box, I now receive the message: "1Password can't verify that Google Chrome should have access to your ___ item," with the options: "fill once," "fill & update login," and "cancel."
4a) If I select "fill & update login," 1Password now uses those credentials by default on every website. If I autofill again on the same web page, 1Password often replaces the initial (incorrect) credentials with the correct credentials for that website. I can stop this behavior by removing the "Linked Apps: Google Chrome" field that was added to the login.
4b) If I select "fill once," the dialog goes vanishes, 1Password autofills the form, and (I think) 1Password stops presenting the "can't verify" message... but only for that login. Other logins that I haven't used in a while are still subject to this.
4c) If I select "cancel" and try again, 1Password shows me the "can't verify" dialog again.
4d) If I select "cancel" and instead click the autofill bubble attached to the login textbox, 1Password autofills the form just fine. But if I logout and hit the Autofill button again, I go right back to step 1 above.
I will note that I didn't change anything in 1Password to provoke this behavior. The logins didn't change, my configuration didn't change, etc. However, a few days ago, I dumped my Google Chrome cookies (while addressing an unrelated tech issue with a particular website). If 1Password lost anything due to that dumping, then it is not handling the consequences gracefully. I have tried uninstalling and reinstalling the 1Password Chrome extension, but nothing changed as a result.
My guess is that a 1Password software update has altered its security behavior in unexpected ways and is creating havoc for me and, possibly, other users.
I put in a help request, documenting much of the above, and tech support is looking into it. No response yet.
Finally, I will note that this behavior is serious and concerning for two reasons:
1) 1Password is presenting a security dialog in some contexts while simultaneously offering to autofill the credentials. Is there a problem with 1Password's security being circumventable in some circumstances?
2) 1Password is autofilling pages with the wrong credentials! I don't want Amazon to have my Gmail password, nor vice versa.
