For browser extensions, the URL constructor would be even easier: https://developer.mozilla.org/en-US/docs/Web/API/URL/URL (Yes, I know it says that IE doesn't support it, but IE doesn't have a proper extensions framework, so it's irrelevant to this topic.)
See this pastebin for the function I believe is determining the url of the active tab and if it has a valid hostname.
There's also this one that seems to be extracting the hostname of a given url also using the URL API.
Both these pastebins contain minimized code that I've cleaned up.
LastPass (on Chrome) will auto-fill information on a detected site, which a malicious site can read immediately.
1Password (on Chromium nightly) requires me to hit the 1Password Mini button and select a site/account to log in with. If 1Password had a similar vulnerability, a malicious site as described would merely wind up showing me accounts for the wrong site in the dropdown. Clicking one could wind up submitting/leaking my credentials to the attacker, though.
This is actually how I use 1Password most often. Global hotkey of cmd+opt+\, type a site name, hit enter: 1Password opens the site and logs in.
Please don't do this on Hacker News.
While I would agree that this place would be better off without judgment, and harsh judgment as I've shown here, the reality is that we all share this place equally with others who do not stop and consider their actions as affecting others thought processes in a negative way. I put this on here to illustrate that point in a non-obvious way, and in a way people CAN understand: anger. It's not the only way of course, but it does get the bug into people's brains quite well.
I appreciate your comment and intent behind it.
I very much agree that downvoting without comment (indeed except for the truly awful ones that would just draw needless noise because of it) is an anti-pattern. But I am occasionally guilty of it myself as well, partly because writing a reply to a not-quite-awful comment costs me a lot of time (even if it's a short cmt).
The greying-out of downvoted comments doesn't help with the perception of receiving a downvote without comment either (makes it feel more harsh, IMO). I'd prefer showing the counts again, actually.
My goal was to settle concern for myself and other 1Password users. That's why I wrote whether a similar vulnerability "does not affect 1Password" instead of "does". My apologies if this was unclear.
I recently started using LastPass after years of reusing the same uncrackable password: !p@ssword123
- This is the second serious security incident with them. Nobody's immune to bugs, but I haven't seen a similar history with AgileBits.
- LastPass has, IMHO, terrible UI/UX. Things don't work consistently, there are weird, unexpected pauses that look like malfunctions until something visible happens; it took me a comparatively long time to figure out how to map common actions to the gestures that perform them; and finally, this is way down the priority list, but I find it generally kind of ugly. I suspect some of these complaints are partially linked to the next point.
- Lastpass is more trouble than it is worth in Safari/Mac.
I've used 1Password personally since 2008-ish, and think I've had exactly one nontrivial problem with it in that time, which was my fault. (There was some upgrade-path weirdness with the iOS version several years ago, and I left a device unused long enough that it ended up with orphaned data I couldn't sync. I forget the details of what exactly happened.)
1Password Teams didn't exist when my company started using Lastpass, but I'm hoping to get switching onto the low-priority project list.
Can't agree with this more. I've had so many issues with LastPass staying logged in one browser across sessions, even though the preferences are set to logout after short inactivity windows and on browser quit. LastPass seemed to lose its preferences like this multiple times, and it made me uncomfortable from a security perspective to not know for sure when my sessions would actually end.
Besides that it's mostly UX issues for me, similar to what you've described.
I also prefer 1Password's pronounceable random password generator vs LastPass's generator (obligatory xkcd https://xkcd.com/936/).
But after the first use of the LastPass Safari extension, TextExpander (or KeyboardMaestro, or a bunch of other tools) won't work anywhere until a after reboot or some other method of disabling SI.
You should maybe try and get it on the high priority list. On August 1st the Teams pro plan will increase from $4/user/mo. (introductory price) to $12/user/mo. for new signups: https://1password.com/teams/pricing/
For me, the biggest pain point is the interface. The automatic form filling rarely works as it should; I click the LastPass icon in the username field, select the site, and it only populates the username (even though there is an input with type="password" right below it).
I then have to:
1) Press ALT+W to bring up the LastPass site search
2) Type in the domain name
3) Find the correct entry, and then click "Show Password"
4) Use my mouse to highlight the password and copy it (there is no quick way to copy the password)
5) Close the tab, go back to the original site, put my cursor in the password field and paste it
And then I have to worry about what password I may or may not have lingering in my clipboard.
If anyone has a better workflow please let me know. I'm envious when I watch coworkers use 1Password to populate a form in two steps using hotkeys.
Then just click the password field and Ctrl-V, of course.
If you're concerned about the clipboard, get in the habit of typing Shift-LeftArrow Ctrl-C after entering the password, to quickly replace your clipboard with a single character.
I'm not sure how LastPass does it, but 1Password does clear the clipboard after a short period of time (configurable, I think 90 seconds by default). I use clipboard logging via Alfred, and can confirm that however they clear the clipboard works to keep them out of its log.
(Without a paid subscription, bookmarklets on mobile still work for free of course. But I found that login flow so cumbersome.)
: Stack Overflow Outage Postmortem https://news.ycombinator.com/item?id=12131909
There are appropriate channels to ask questions like that and appropriate times to downvote. But, hey, I'm not here to offend the hivemind. Please have mercy ;)
I think an official word holds more clout and is more valuable than any one person confirming for themselves in one version of one browser on one version of one OS.
I understand that, as a user of 1Password's browser extension(s), you may well feel some concern that a similar vulnerability exists, and I don't think it's unreasonable to want reassurance on that score.
But I think your phrasing and framing of the question feels a lot more like a "gotcha" than anything else, and it's that feeling which motivated my prior comment - I'm not an AgileBits dev myself, but if I were, I'd feel strongly inclined to shy away from that question rather than trying to frame an answer that doesn't leave me open to a potentially hostile followup.
I have sent a message to 1Password through the official customer support channel to ask the same question posed here. I'll update once they reply.
> Thank you for taking the time to write to us here at AgileBits. The current version of the 1Password extension does not use regex to parse URLs for this exact reason. We don't autofill either, which also helps avoid issues like the one you mentioned.
1: Defensiveness. It seemed more like an honest question than a pot shot. You seemed to read into it something like "Aha! How about your software fool!?!"
That said, if it were a reporter asking the question, then I would see it as a gotcha, because the use of the word confirm is used as a setup sometimes.
2: Tech bias. Not everyone on here is a Dev, and even though I know a fair bit about programming it would not be a trivial task to do what is simple for you regarding checking out code injections and what they do re a security standpoint. That would probably be a long afternoon of googling for me :)
Just my view...
Presumably that's the job of a professional security developer that might reasonably be expected to have checked their own similar product for this vulnerability...