1Password keeps you safe by keeping you in the loop

This is a story with many beginnings and many threads coming together. The very short read of it is that 1Password’s browser extension has always been designed from the outset to keep you safe from some recently discovered browser based attacks on some password managers.

Researchers at Princeton University’s Web Transparency and Accountability Project were investigating tracking scripts on web pages, and discovered that several of them attack browser-based password managers and extract the email addresses, usernames and sites stored in the browser’s password manager. As I said, 1Password is designed in such a way as to not be vulnerable to the kinds of attacks those scripts used. The scripts that attempt this are from Adthink (audience insights) and OnAudience (behavioralengine).

Whether or not they make malicious use of the passwords they extract, they are certainly learning which sites you have records for in those password managers. I would like to add that we’ve designed 1Password so that we cannot know which sites and services you have logins for.

There is a huge amount to say about the contemptible behavior of these trackers, and I’m hopeful that others will say so clearly. Here, I want to talk more about what all of this illustrates about 1Password’s design and our approach to security.

Saying “no” to automatic autofill

A commonly requested feature is an option that that would have 1Password automatically fill in web forms as soon as you navigate to those pages in your browser. 1Password, instead, always requires that you take some action. Perhaps it is just hitting ⌘-\ or Ctrl-\ or using our Go and Fill mechanism or even setting up a 1Click Bookmark. But whatever of several mechanisms 1Password makes available, you have to tell it that you want it to fill material on the page.

Plenty of you have written in over the years, saying that they would like 1Password to fill in web forms as soon as they get to a page, with no human intervention. We’ve even been told that it is a very popular feature of some other password managers.

It’s not a lot of fun saying “no” to feature requests. But that is what we have done for as long as I can remember. And for the rest of this article, I’m going to draw from something I wrote in our forums back in 2014.

Because of security concerns we are disinclined at this time to offer, even as an option, the feature you (and so many others) are asking for. […] but I do want to give you an overview of our reasoning for what might seem like an odd choice.

Automatically filling a web form with no user intervention other than visiting the page can, if combined with something that works around the anti-phishing mechanism [of 1Password], lead to an attack where lots your usernames and passwords are submitted to a malicious site in a way that is silent and invisible to you.

The longer answer

I will use the terminology adopted by David Silver and co-authors in Password Managers: Attacks and Defenses at the USENIX security conference (2014). In the terminology of that paper, this requested feature is “automatic auto-fill” instead of what 1Password does with “manual auto-fill”. That is, 1Password requires some user intervention before it will fill a form (such as you typing Ctrl-\), instead of simply filling when you visit a page.

Although I am citing material from 2014, this kind of attack had been discussed since at least 2006, noting that

It’s really not phishing, as it doesn’t actually require the user to believe anything, as the social engineering portion of the attack is not there. As such you can steal user information through any page, as long as the automatic form submission requires no user input to fill the form.

This isn’t new.

Why am I now going to talk about phishing?

One of the great security benefits of 1Password is that it helps you avoid phishing attacks. When you ask 1Password to fill information into a page, it will not fill into pages that don’t match the URL of the item.

1Password has a number of mechanisms to prevent filling into the wrong page. That is, if you go to a form at paypal.evil.com 1Password will not fill in a password saved for paypal.com because the domains don’t match correctly. Tricking a person into filling out something like their PayPal password to something that only masquerades as PayPal is called “phishing”. The idea is that it should be harder to trick a password manager than a person. And it usually is. This is one of the many ways in which 1Password keeps you safe.

For the kinds of attacks we’ve been talking about, the malicious web page content needs to trick or by-pass the password manager’s anti-phishing mechanism. If a malicious script on MyKittyPictures.example.com is going to try to grab PayPal credentials, then it is going to have to fool the password manager into thinking that it is filling in a place that matches paypal.com.

We work very hard to make 1Password do the right thing in such cases. 1Password’s anti-phishing mechanisms work very well at preventing it from filling into the “wrong” web forms. But because of the nature of the HTML, iFrames, protocols, javascript, iFrames, conventions, page designs, and iFrames, the defenses that we (and everyone) have to use are messy and involve a series of rules and exceptions and exceptions to those exceptions. (Did I mention that iFrames are a trouble spot?) It is exactly the kind of thing that we know can go wrong.

So the question we’ve had to ask ourselves is if the anti-phishing mechanisms are strong enough to mean that we never ever have to worry about 1Password in data to the wrong place. We needed to decide whether the tools available for that defense are strong enough to allow us to build a mechanism that meets our standards. Unfortunately they don’t, and so we insist on another line of defense.

Invisible forms

The fields in which usernames, passwords, credit card numbers, and so on get filled won’t always be visible to you. Any page could have a form on it that you don’t see. If the designer of the form is attempting to trick a form filling mechanism, there is no way that 1Password could actually check to see if the fields really are visible.

So if the anti-phishing mechanism can be tricked, then when you visit a malicious web page (including those that have malicious tracking scripts on them) you could have your private information silently and invisibly stolen if automatic auto-fill were in place.

Sweep attacks

The malicious form could be designed to reload itself spoofing a different password each time. So that is, a single malicious injection point could trick your automatically auto-filling password manager into giving up your passwords for many different sites. David Silver referred to these as “sweep attacks”, and that is what it appears that these advert trackers are doing.

At this point, I have not fully studied their scripts to know the precise mechanisms they used, but it certainly is some form of sweep attack.

Doing good and doing no harm

Here is where I go off on a bit of a philosophical abstraction. As I’ve said, I don’t believe that a password manager can offer 100% absolute protection against phishing. But suppose there is one attack out of a million in which it fails to protect against phishing. If you use 1Password, you are much safer against the other 999,999 attempts and you are no worse off than you would be without it. Even in that one in a million case, using 1Password doesn’t add to your risk.

But now contrast that with a situation with a password manager that does allow automatic autofill. A password manager that can be subject to a sweep attack enables a kind of attack that wouldn’t be possible without the use of a password manager.


If you are using a password manager that allows for automatic autofill, turn that feature off. If you are using a password manager that doesn’t allow you to turn that feature off, switch password managers. And when you consider making such a switch, please remember that we’ve never allowed automatic autofill at any time in our more than 10 year history. We believe that you have to be in the loop when it comes to giving your secrets to anyone else. That design philosophy helps keep you safe and in control.

It ain’t over till it’s over

I’m sure that there will be more news to come over the next few days or weeks about the extent of these malicious trackers and precisely which password managers were affected. So please follow in comments for more information.

27 replies
  1. Robert perlberg
    Robert perlberg says:

    Hi. I only use 1Password. It used to partially auto fill. How do I get that feature back on iMac, iPhone, iPad? Thank you

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Robert,

      I’m not entirely sure what you mean by “partially autofill”. If you can describe it more fully, perhaps I can help.

  2. Jeffrey Goldberg
    Jeffrey Goldberg says:

    Hi all,

    In order to keep the blog post short and relatively focuses, there is a lot of stuff that I didn’t include, but would very much like to talk about for those interested.

    A malicious web page, with malicious content on it will always be able to do bad things with the information that you give it, irrespective of whether or not you use a password manager. There are lots of ways that a web page could become malicious.

    1. The owner of the site deliberately puts something malicious on the page
    2. The site gets compromised, and those who comprimise it add malicious content.
    3. Malicious content is added to the site in transit (this is why you should use HTTPS everywhere)
    4. The owner of a site allows a third party to control some content of the page, and that third party allows for malicious content.

    In the recent instances it appears that (4) is the case. And because trackers are inherently privacy invading, I really shouldn’t have been surprised that this happened this way.

    Now the bad news is that when you – whether through manually typing stuff in or through asking 1Password to fill forms – hand over secrets to a web page, if that page has malicious content it will be able to use the information you give it in ways that are not in your interests.

    We cannot prevent that. But what we work to make sure that 1Password doesn’t open you up to attacks that you wouldn’t otherwise be subject to. That is why we don’t allow automatic autofill. That is, there may be attacks that no password manager can protect you against, but we certainly don’t want the use of 1Password to enable attacks.

    Indirectly, 1Password does help protect you against compromised website to which you give your credentials. If MyKittyPictures.org is compromised (though any of the means listed above) and you give it your username and password for that site (by whatever means) then the attacker can learn your username and password for that site. This is why the password you use there should not be the same password that you use any place else.

    Again 1Password’s anti-phishing mechanisms work to make sure that you only give your MyKittyPicture.org secrets to that site. And keeping you in the loop makes sure that no secrets are given away without your permission. But it can’t enforce the site to handle that secrets well.

    So use 1Password to create and maintain unique passwords for each and every site, so a compromise of one of those passwords won’t lead to a compromise of anything other than the malicious site.

    Cheers,

    -j
    Chief Defender Against the Dark Arts @ AgileBits

    Reply
    • Craig Francis
      Craig Francis says:

      “if that page has malicious content it will be able to use the information you give it in ways that are not in your interests.”

      I’m hoping we can convince Mike West to introduce “write only” input fields to the HTML spec.

      This would allow the password manager to write to the field, and for the value to not be read back.

      It would probably need the website to add this attribute, as I don’t think the password managers can add it automatically (will break websites that login via JS).

      https://mikewest.github.io/credentialmanagement/writeonly/

  3. Bob
    Bob says:

    Why can’t you rate limit the use of the manager. Two attempts in three seconds is allowed then a required ten second wait. Would this stop sweep attacks

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      That’s an interesting idea, Bob, but my first guess is that it couldn’t really be made to work.

      It isn’t hard for attackers to discover the rate limiting rates and adjust their scripts accordingly. But in these cases, I’m not even sure that rate limiting would be an option at all. If I understand sweep attacks sufficiently (I have not studied them carefully) they trick the browser extension into thinking that it has landed on a new page. People who want automatic autofill want pages to be filled quickly upon arrival.

      But my comments here are just off of the top of my head. As we don’t do automatic autofill at all, we haven’t looked closes at those sorts of counter-measures.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I have not tested or studied the behavior of anything other than 1Password, so I’m reluctant to make statements about Safari’s built-in password manager. But let me take another look at what the study says, … As I reread https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ I see

      Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form. Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested [2] don’t require user interaction to autofill password fields.

      And their footnote “[2]” specifies that Safari was included in the browsers tested.

      We don’t know whether Safari’s built-in password manager was subject to the very specific attack, but it does follow a practice we recommend against.

  4. ++Don
    ++Don says:

    After seeing the picture of the automatic auto fill button taped into the “off” position, I immediately thought, “Does anyone have any tape out there?! I wanna put some tape over the automatic auto fill button.”

    Apologies to Rocket for stealing his line.

    ++Don

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Are you sure? I checked “whois” before using that domain name. The .com and .net names are registered. But whois records are telling me that mykittypictures.org is an unknown domain. May I ask who the registrar is?

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I do apologize. I thought I was being careful, but I wasn’t being careful enough.

      (And now I am looking for a better “whois” tool)

  5. Zemgas
    Zemgas says:

    One of the other password managers doesn’t let you NOT use automatic autofill. Their users have been requesting it for years, only to have their hopes “Dash”ed.

    Reply
  6. Matt B
    Matt B says:

    Whoa I had no idea you could use ⌘-\ to bring up 1password! It always annoyed me that I had to click click click to auto fill. Its a large reason I left Safari’s auto fill enabled.

    Anyway, thanks for this write up. Very informative!

    Reply
  7. John
    John says:

    First, please pardon my technical ignorance here… this may sound ridiculous from a coding standpoint.

    If the scripts are instructing the browser that the form fields will not visible to the user, and the fields are not displayed, then the browser is able to obey this and render it accordingly. If the browser can recognize and carry out that instruction for a form field to be hidden, why can’t a password manager (the browser’s or a 3rd party) recognize those same instructions and simply not fill hidden form fields, or fields that are 1×1 px (if that’s possible), etc.?

    Thanks

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      That’s a nice suggestion, John. But sadly it just creates an expensive arms race that the good guys would lose.

      We’ve all seen badly designed pages where some block of stuff covers up some other stuff. And we’ve also all seen pages where color choices make things barely legible. We’ve seen cases where crucial data is off the margins. And those are done just accidentally.

      There are lots of ways to make something invisible to humans if you try. The only way a tool could really tell if something is visible or not would be the render the page, and then analyze an image of that page with some very high powered (and computationally expensive) analysis that would still be trickable. The measures that we would have to add to do this are all “more expensive” than the counter-measures that the bad guys could use to evade our filters.

  8. Mark Kenny
    Mark Kenny says:

    Can I ask what protection 1Password provides against invisible forms?

    Also, as a feature request, would it be possible for 1Password to disclose what fields it fills in? Ghostery has a purple overlay which tells you what trackers are being blocked. Could 1Password display something like “2 fields were filled”, just for peace of mind?

    Thanks! Have always been a fan of your clear answers and transparency, it builds trust :)

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Mark! First off, I’m going to double apologize, both for the delay in replying to you and for the fact that I’m probably not going to be as thorough or insightful as Jeff would be. He’s been pulled away and I’ve been on vacation, but I think Jeff covers much of your question in this comment and I’ll do my best to supplement.

      As Jeff mentions in the comment I linked, “[W]hen you – whether through manually typing stuff in or through asking 1Password to fill forms – hand over secrets to a web page, if that page has malicious content it will be able to use the information you give it in ways that are not in your interests. We cannot prevent that.” We do a lot to ensure your credentials only fill where they’re supposed to by ensuring the forms filled are on the proper domain and not filling without your explicit consent, but we ultimately can’t control how that site uses your credentials once it has them. Beyond these protections, though, the best protection 1Password offers has little to do with the hidden forms themselves, in my opinion. Jeff mentions this, but it’s worth highlighting: with 1Password, one malicious (or simply negligent) page cannot compromise multiple accounts. This is really what gives me the most peace of mind. Before 1Password, one compromised account would likely lead to many for me due to the formulaic passwords I had to use to remember them. Now, I have unique passwords for ever site since 1Password remembers them for me, so I take great comfort in the worst-case scenario being much less scary with 1Password than without. 😊

  9. Jim
    Jim says:

    For users of the Firefox Password Manager you can switch off the auto-fill login:

    “If you want to keep using Firefox’s password manager, you should type “about:config” into Firefox’s address bar and press Enter. You’ll see a warning screen informing you that changing various settings here could cause problems. Don’t worry—if you just change the single setting we point out, you’ll be fine. Click “I accept the risk!” to continue.

    Type “autofillForms” into the search box and double-click the “signon.autofillForms” preference to set it to “false”. Firefox will no longer autofill usernames and passwords without your permission.”

    Source: https://www.howtogeek.com/338209/you-should-turn-off-autofill-in-your-password-manager/

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Jim! Apologies for the slow response here. I’ve been on vacation and Jeff has been pulled away for a bit so I’m doing my best to help catch up today. Sorry!

      It’s great to know this is possible in Firefox. While I agree that this particular change in about:config probably won’t cause any trouble, it still isn’t generally something I’d recommend for folks not familiar or comfortable with the potential consequences there. If this is something you’re comfortable with, by all means, but our recommendation would, of course, be to use 1Password instead. No ignoring warnings required. 😉

  10. tastewar
    tastewar says:

    Hi! I’m a longtime user of 1Password, and a big fan. My suggestion, which fits in with the title of this post, would be to have a mode/preference that causes 1Password to display a “preview” dialog when the user requests that it fill in fields. The dialog would display some type of field name (from the form), and the data that is to be filled in, perhaps with a checkbox for each. This way, if I saw that there were 2 password fields being filled in (Danger!), or a street address field that I didn’t see on the screen, I could either Cancel the fill, or clear the checkboxes as appropriate.

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey, Tastewar! First off, my apologies for not replying to you earlier. I saw you’d posted a few times (I picked the latest to approve and reply to as each was similar, so I hope that’s okay), but since we moderate comments for spam and both Jeff and I have both been away for a bit we’re a bit behind and not approving and replying as quickly as we’d like. I hope you can forgive us!

      Thanks for sharing your suggestion! This type of thing is something we do find appealing and I’ll definitely pass your idea along to our development team, but it’s a complicated feature to put together. When we’re presenting information to y’all that will affect your security decisions, there is a particularly strong onus on us to present that information so that it’s both understandable and accurate, which can be more or less complicated depending on how forms are designed on any given site. The same things (Jeff mentioned iframes a few times) that already cause us some grief when the 1Password extension reads the page also have an effect on our ability to use information we already have to share more about the page and forms on it with you.

      This is not exactly a new vulnerability, as Jeff mentioned in this post, but it is the first time its abuse has been put in the spotlight. It’s important we make sure anything we do here is more than just a reactionary change and is genuinely solving a problem in a usable fashion that makes sense to our customers and allows y’all to make better choices about filling (or not). We’ve had some chats about this internally and will likely have more to come, but right now the best thing you can do is make sure your password manager (whatever you might use) allows you to stop and use your own best judgment about whether you’re comfortable filling on any given page rather than making that decision for you by automatically autofilling. 1Password already lets you do that and perhaps in the future, we’ll be able to help you make that decision with some extra information about the page. We’ll see! 🙂

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *