[jxpx777]

Disclosure: I work for AgileBits, makers of 1Password.

For browser extensions, the URL constructor would be even easier: https://developer.mozilla.org/en-US/docs/Web/API/URL/URL (Yes, I know it says that IE doesn't support it, but IE doesn't have a proper extensions framework, so it's irrelevant to this topic.)

[tedmiston]

While you are here, can you confirm whether a similar regex vulnerability does not affect 1Password?

[K0nserv]

I had a quick look at the 1Password chrome extension source and it seems to me like they are using window.URL[0].

See this pastebin[1] for the function I believe is determining the url of the active tab and if it has a valid hostname.

There's also this one[2] that seems to be extracting the hostname of a given url also using the URL API.

Both these pastebins contain minimized code that I've cleaned up.

0: https://developer.mozilla.org/en-US/docs/Web/API/URL

1: http://pastebin.com/tWns7XmG

2: http://pastebin.com/PXS1iqsq

[jamie_ca]

Not a dev on either product, but I use 1Password for my personal accounts, and a corporate LastPass for my work accounts. I do not believe that 1Password is as immediately vulnerable as LastPass.

LastPass (on Chrome) will auto-fill information on a detected site, which a malicious site can read immediately.

1Password (on Chromium nightly) requires me to hit the 1Password Mini button and select a site/account to log in with. If 1Password had a similar vulnerability, a malicious site as described would merely wind up showing me accounts for the wrong site in the dropdown. Clicking one could wind up submitting/leaking my credentials to the attacker, though.

[notJim]

1Password doesn't auto-fill, but you can press [Ctrl|CMD] + \ to fill in the password automatically based on the detected domain.

[unfletch]

It does have an "open and fill" feature which autofills, but only immediately after opening the site by URL first. (So the attacker's URL would have to be saved in 1Password along side your credentials.)

This is actually how I use 1Password most often. Global hotkey of cmd+opt+\, type a site name, hit enter: 1Password opens the site and logs in.

[ruipgil]

If they're not using regex, they can't be affected by it anyways

[throwanem]

Why not take a look at the code injected by 1Password's browser extension and find out for yourself whether it handles URLs safely? That shouldn't be hard to do, and it's a lot healthier for the community than discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots.

[tedmiston]

I'm sorry, but I don't see how asking an employee of the company that makes the product that I use every day is "discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots".

I think an official word holds more clout and is more valuable than any one person confirming for themselves in one version of one browser on one version of one OS.

[throwanem]

I did speak rather harshly in my prior comment, and for that I apologize. Worse, I did a very poor job of expressing the concern that motivated me to respond. But I think it's still fair to ask whether your initial comment has value.

I understand that, as a user of 1Password's browser extension(s), you may well feel some concern that a similar vulnerability exists, and I don't think it's unreasonable to want reassurance on that score.

But I think your phrasing and framing of the question feels a lot more like a "gotcha" than anything else, and it's that feeling which motivated my prior comment - I'm not an AgileBits dev myself, but if I were, I'd feel strongly inclined to shy away from that question rather than trying to frame an answer that doesn't leave me open to a potentially hostile followup.

[tedmiston]

I understand a concern with my phrasing -- to be honest, I didn't put much thought into it as far as considering multiple interpretations.

I have sent a message to 1Password through the official customer support channel to ask the same question posed here. I'll update once they reply.

[tedmiston]

Update: Here's the response from earlier this morning:

> Thank you for taking the time to write to us here at AgileBits. The current version of the 1Password extension does not use regex to parse URLs for this exact reason. We don't autofill either, which also helps avoid issues like the one you mentioned.

[jonahx]

Fwiw, his question did not sound at all like that to me. Your reaction feels like unfair personal bias. Not trying to start a fight but you seem openminded enough to hear it so figured Id let you know

[throwanem]

Not at all. But I would be interested to hear what sort of bias you saw in my prior comment. I mean, I don't think you're wrong, but beyond the downvotes, I only have my own perspective to go on here, and I'd appreciate the benefit of having yours as well.

[arcticfox]

Also, just because we're on Hacker News, it doesn't mean every reader is equipped to audit code for security vulnerabilities.

Presumably that's the job of a professional security developer that might reasonably be expected to have checked their own similar product for this vulnerability...

[throwanem]

Fair. I would, though, expect someone whose HN profile identifies him as an experienced full-stack engineer to be up to the challenge of spotting something as basic as an extension injecting code into untrusted DOM and trusting the results that code gives back.

[juandazapata]

Chill. There's no need to bash other people's expertise. We get it, you're an expert in the domain, but this is adding nothing to the conversation.

[cyberpanther]

URL constructor looks great! Just wish it was stable. I normally don't have to worry about IE very much anymore anyways.