About the issue
Research by Princeton’s Center for Information Technology Policy has highlighted the use of password managers as a way of tracking users across websites. Scripts are added to a webpage and these create fake login forms. The forms are monitored so that any information filled into them by the browser or extensions can be sent back to the desired recipient.
What you should know
1Password was, and is, completely immune to these attacks. This is because we never silently fill information without user intervention, as a way of preventing these kinds of attacks.
Why are some password managers vulnerable?
Password managers such as 1Password use anti-phishing mechanisms to avoid filling into the wrong page. That is, we will not fill a password saved for
paypal.com in at
paypal.evil.com because the domains do not match.
The web technologies currently available to determine the origin of any given portion of a web page are imperfect. We do our best to avoid 1Password misidentifying the site it’s being asked to fill into and, because we know that this is fallible, have always required that users take some action to fill into web forms.
If a password manager is configured to automatically and silently fill into forms as soon as a browser page is loaded – without any user intervention – it may fill user secrets into a malicious form. If the malicious form has managed to defeat the domain matching mechanisms of the password manager it could silently obtain the user credentials for any domain.
No automatic filling
1Password will never give any user secrets to a web page without the user’s knowledge and consent. The 1Password user must request that 1Password fill a page through one of any number of methods, including a keyboard shortcut, open and fill from 1Password, or a 1Click Bookmark.
Because 1Password insists on user action to fill a web form, it’s immune to the particular attack from advertising trackers and a large family of related attacks.