Bugzilla

Currently, the Autofill button appears over the top of page content at a location that may seem random. This presents an ideal surface to mount a spearphishing attack against a LastPass/1Password master key.

All it takes to spoof a master safe password-phishing Autofill experience is a working XSS exploit on a trusted site. By using XSS, a malicious attacker could insert the image of an Android OS Autofill button on a site that is trusted implicitly. When pressed, the button would open a lookalike sign-in page for the password safe. Worse, the button is the same across Android apps, so the same attack would work across multiple browsers and divulge all passwords the user owns.

This type of attack is hard to mitigate. 1Password deliberately prevents the user from clicking on their icon inside web content on desktop because it's so easily phishable by attackers. However, showing the icon outside of the web engine surface may indicate (at least to power users) that it was not created by the content. This depends upon the user recognizing something out of place: either the button or the non-native sign in page at an odd URL.

I'd propose that we place the Autofill button at the end of the URL bar or keyboard suggestions instead of placing it over web content. I'd welcome alternative suggestions.

Currently, the Autofill button appears over the top of page content at a location that may seem random. This presents an ideal surface to mount a spearphishing attack against a LastPass/1Password master key.

All it takes to spoof a master safe password-phishing Autofill experience is a working XSS exploit on a trusted site. By using XSS, a malicious attacker could insert the image of an Android OS Autofill button on a site that is trusted implicitly. When pressed, the button would open a lookalike sign-in page for the password safe. Worse, the button is the same across Android apps, so the same attack would work across multiple browsers and divulge all passwords the user owns.

This type of attack is hard to mitigate. 1Password deliberately prevents the user from clicking on their icon inside web content on desktop because it's so easily phishable by attackers (it directs the user to use a keyboard shortcut when pressed). However, showing the icon outside of the web engine surface may indicate (at least to power users) that it was not created by the content. This depends upon the user recognizing something out of place: either the button or the non-native sign in page at an odd URL.

I'd propose that we place the Autofill button at the end of the URL bar or keyboard suggestions instead of placing it over web content. I'd welcome alternative suggestions.