1Password keeps you safe by keeping you in the loop

This is a story with many beginnings and many threads coming together. The very short read of it is that 1Password’s browser extension has always been designed from the outset to keep you safe from some recently discovered browser based attacks on some password managers.

Researchers at Princeton University’s Web Transparency and Accountability Project were investigating tracking scripts on web pages, and discovered that several of them attack browser-based password managers and extract the email addresses, usernames and sites stored in the browser’s password manager. As I said, 1Password is designed in such a way as to not be vulnerable to the kinds of attacks those scripts used. The scripts that attempt this are from Adthink (audience insights) and OnAudience (behavioralengine).

Whether or not they make malicious use of the passwords they extract, they are certainly learning which sites you have records for in those password managers. I would like to add that we’ve designed 1Password so that we cannot know which sites and services you have logins for.

There is a huge amount to say about the contemptible behavior of these trackers, and I’m hopeful that others will say so clearly. Here, I want to talk more about what all of this illustrates about 1Password’s design and our approach to security.

Saying “no” to automatic autofill

A commonly requested feature is an option that that would have 1Password automatically fill in web forms as soon as you navigate to those pages in your browser. 1Password, instead, always requires that you take some action. Perhaps it is just hitting ⌘-\ or Ctrl-\ or using our Go and Fill mechanism or even setting up a 1Click Bookmark. But whatever of several mechanisms 1Password makes available, you have to tell it that you want it to fill material on the page.

Plenty of you have written in over the years, saying that they would like 1Password to fill in web forms as soon as they get to a page, with no human intervention. We’ve even been told that it is a very popular feature of some other password managers.

It’s not a lot of fun saying “no” to feature requests. But that is what we have done for as long as I can remember. And for the rest of this article, I’m going to draw from something I wrote in our forums back in 2014.

Because of security concerns we are disinclined at this time to offer, even as an option, the feature you (and so many others) are asking for. […] but I do want to give you an overview of our reasoning for what might seem like an odd choice.

Automatically filling a web form with no user intervention other than visiting the page can, if combined with something that works around the anti-phishing mechanism [of 1Password], lead to an attack where lots your usernames and passwords are submitted to a malicious site in a way that is silent and invisible to you.

The longer answer

I will use the terminology adopted by David Silver and co-authors in Password Managers: Attacks and Defenses at the USENIX security conference (2014). In the terminology of that paper, this requested feature is “automatic auto-fill” instead of what 1Password does with “manual auto-fill”. That is, 1Password requires some user intervention before it will fill a form (such as you typing Ctrl-\), instead of simply filling when you visit a page.

Although I am citing material from 2014, this kind of attack had been discussed since at least 2006, noting that

It’s really not phishing, as it doesn’t actually require the user to believe anything, as the social engineering portion of the attack is not there. As such you can steal user information through any page, as long as the automatic form submission requires no user input to fill the form.

This isn’t new.

Why am I now going to talk about phishing?

One of the great security benefits of 1Password is that it helps you avoid phishing attacks. When you ask 1Password to fill information into a page, it will not fill into pages that don’t match the URL of the item.

1Password has a number of mechanisms to prevent filling into the wrong page. That is, if you go to a form at paypal.evil.com 1Password will not fill in a password saved for paypal.com because the domains don’t match correctly. Tricking a person into filling out something like their PayPal password to something that only masquerades as PayPal is called “phishing”. The idea is that it should be harder to trick a password manager than a person. And it usually is. This is one of the many ways in which 1Password keeps you safe.

For the kinds of attacks we’ve been talking about, the malicious web page content needs to trick or by-pass the password manager’s anti-phishing mechanism. If a malicious script on MyKittyPictures.example.com is going to try to grab PayPal credentials, then it is going to have to fool the password manager into thinking that it is filling in a place that matches paypal.com.

We work very hard to make 1Password do the right thing in such cases. 1Password’s anti-phishing mechanisms work very well at preventing it from filling into the “wrong” web forms. But because of the nature of the HTML, iFrames, protocols, javascript, iFrames, conventions, page designs, and iFrames, the defenses that we (and everyone) have to use are messy and involve a series of rules and exceptions and exceptions to those exceptions. (Did I mention that iFrames are a trouble spot?) It is exactly the kind of thing that we know can go wrong.

So the question we’ve had to ask ourselves is if the anti-phishing mechanisms are strong enough to mean that we never ever have to worry about 1Password in data to the wrong place. We needed to decide whether the tools available for that defense are strong enough to allow us to build a mechanism that meets our standards. Unfortunately they don’t, and so we insist on another line of defense.

Invisible forms

The fields in which usernames, passwords, credit card numbers, and so on get filled won’t always be visible to you. Any page could have a form on it that you don’t see. If the designer of the form is attempting to trick a form filling mechanism, there is no way that 1Password could actually check to see if the fields really are visible.

So if the anti-phishing mechanism can be tricked, then when you visit a malicious web page (including those that have malicious tracking scripts on them) you could have your private information silently and invisibly stolen if automatic auto-fill were in place.

Sweep attacks

The malicious form could be designed to reload itself spoofing a different password each time. So that is, a single malicious injection point could trick your automatically auto-filling password manager into giving up your passwords for many different sites. David Silver referred to these as “sweep attacks”, and that is what it appears that these advert trackers are doing.

At this point, I have not fully studied their scripts to know the precise mechanisms they used, but it certainly is some form of sweep attack.

Doing good and doing no harm

Here is where I go off on a bit of a philosophical abstraction. As I’ve said, I don’t believe that a password manager can offer 100% absolute protection against phishing. But suppose there is one attack out of a million in which it fails to protect against phishing. If you use 1Password, you are much safer against the other 999,999 attempts and you are no worse off than you would be without it. Even in that one in a million case, using 1Password doesn’t add to your risk.

But now contrast that with a situation with a password manager that does allow automatic autofill. A password manager that can be subject to a sweep attack enables a kind of attack that wouldn’t be possible without the use of a password manager.


If you are using a password manager that allows for automatic autofill, turn that feature off. If you are using a password manager that doesn’t allow you to turn that feature off, switch password managers. And when you consider making such a switch, please remember that we’ve never allowed automatic autofill at any time in our more than 10 year history. We believe that you have to be in the loop when it comes to giving your secrets to anyone else. That design philosophy helps keep you safe and in control.

It ain’t over till it’s over

I’m sure that there will be more news to come over the next few days or weeks about the extent of these malicious trackers and precisely which password managers were affected. So please follow in comments for more information.

35 replies
Newer Comments »
  1. Robert perlberg
    Robert perlberg says:

    Hi. I only use 1Password. It used to partially auto fill. How do I get that feature back on iMac, iPhone, iPad? Thank you

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Robert,

      I’m not entirely sure what you mean by “partially autofill”. If you can describe it more fully, perhaps I can help.

  2. Jeffrey Goldberg
    Jeffrey Goldberg says:

    Hi all,

    In order to keep the blog post short and relatively focuses, there is a lot of stuff that I didn’t include, but would very much like to talk about for those interested.

    A malicious web page, with malicious content on it will always be able to do bad things with the information that you give it, irrespective of whether or not you use a password manager. There are lots of ways that a web page could become malicious.

    1. The owner of the site deliberately puts something malicious on the page
    2. The site gets compromised, and those who comprimise it add malicious content.
    3. Malicious content is added to the site in transit (this is why you should use HTTPS everywhere)
    4. The owner of a site allows a third party to control some content of the page, and that third party allows for malicious content.

    In the recent instances it appears that (4) is the case. And because trackers are inherently privacy invading, I really shouldn’t have been surprised that this happened this way.

    Now the bad news is that when you – whether through manually typing stuff in or through asking 1Password to fill forms – hand over secrets to a web page, if that page has malicious content it will be able to use the information you give it in ways that are not in your interests.

    We cannot prevent that. But what we work to make sure that 1Password doesn’t open you up to attacks that you wouldn’t otherwise be subject to. That is why we don’t allow automatic autofill. That is, there may be attacks that no password manager can protect you against, but we certainly don’t want the use of 1Password to enable attacks.

    Indirectly, 1Password does help protect you against compromised website to which you give your credentials. If MyKittyPictures.org is compromised (though any of the means listed above) and you give it your username and password for that site (by whatever means) then the attacker can learn your username and password for that site. This is why the password you use there should not be the same password that you use any place else.

    Again 1Password’s anti-phishing mechanisms work to make sure that you only give your MyKittyPicture.org secrets to that site. And keeping you in the loop makes sure that no secrets are given away without your permission. But it can’t enforce the site to handle that secrets well.

    So use 1Password to create and maintain unique passwords for each and every site, so a compromise of one of those passwords won’t lead to a compromise of anything other than the malicious site.

    Cheers,

    -j
    Chief Defender Against the Dark Arts @ AgileBits

    Reply
    • Craig Francis
      Craig Francis says:

      “if that page has malicious content it will be able to use the information you give it in ways that are not in your interests.”

      I’m hoping we can convince Mike West to introduce “write only” input fields to the HTML spec.

      This would allow the password manager to write to the field, and for the value to not be read back.

      It would probably need the website to add this attribute, as I don’t think the password managers can add it automatically (will break websites that login via JS).

      https://mikewest.github.io/credentialmanagement/writeonly/

  3. Bob
    Bob says:

    Why can’t you rate limit the use of the manager. Two attempts in three seconds is allowed then a required ten second wait. Would this stop sweep attacks

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      That’s an interesting idea, Bob, but my first guess is that it couldn’t really be made to work.

      It isn’t hard for attackers to discover the rate limiting rates and adjust their scripts accordingly. But in these cases, I’m not even sure that rate limiting would be an option at all. If I understand sweep attacks sufficiently (I have not studied them carefully) they trick the browser extension into thinking that it has landed on a new page. People who want automatic autofill want pages to be filled quickly upon arrival.

      But my comments here are just off of the top of my head. As we don’t do automatic autofill at all, we haven’t looked closes at those sorts of counter-measures.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I have not tested or studied the behavior of anything other than 1Password, so I’m reluctant to make statements about Safari’s built-in password manager. But let me take another look at what the study says, … As I reread https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ I see

      Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form. Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested [2] don’t require user interaction to autofill password fields.

      And their footnote “[2]” specifies that Safari was included in the browsers tested.

      We don’t know whether Safari’s built-in password manager was subject to the very specific attack, but it does follow a practice we recommend against.

  4. ++Don
    ++Don says:

    After seeing the picture of the automatic auto fill button taped into the “off” position, I immediately thought, “Does anyone have any tape out there?! I wanna put some tape over the automatic auto fill button.”

    Apologies to Rocket for stealing his line.

    ++Don

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Are you sure? I checked “whois” before using that domain name. The .com and .net names are registered. But whois records are telling me that mykittypictures.org is an unknown domain. May I ask who the registrar is?

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I do apologize. I thought I was being careful, but I wasn’t being careful enough.

      (And now I am looking for a better “whois” tool)

    • Nick Pastore
      Nick Pastore says:

      Wait a minute…did you create this domain just so you could create this comment? Come on now…Jeffrey did his due diligence

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      The dates are funny, aren’t they? But I’ve learned my lesson. Next time, we will register the domains prior to using them as examples publicly.

  5. Zemgas
    Zemgas says:

    One of the other password managers doesn’t let you NOT use automatic autofill. Their users have been requesting it for years, only to have their hopes “Dash”ed.

    Reply
  6. Matt B
    Matt B says:

    Whoa I had no idea you could use ⌘-\ to bring up 1password! It always annoyed me that I had to click click click to auto fill. Its a large reason I left Safari’s auto fill enabled.

    Anyway, thanks for this write up. Very informative!

    Reply
Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.