[throwanem]

Why not take a look at the code injected by 1Password's browser extension and find out for yourself whether it handles URLs safely? That shouldn't be hard to do, and it's a lot healthier for the community than discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots.

[tedmiston]

I'm sorry, but I don't see how asking an employee of the company that makes the product that I use every day is "discouraging devs to participate by taking their presence as an opportunity for drive-by pot shots".

I think an official word holds more clout and is more valuable than any one person confirming for themselves in one version of one browser on one version of one OS.

[throwanem]

I did speak rather harshly in my prior comment, and for that I apologize. Worse, I did a very poor job of expressing the concern that motivated me to respond. But I think it's still fair to ask whether your initial comment has value.

I understand that, as a user of 1Password's browser extension(s), you may well feel some concern that a similar vulnerability exists, and I don't think it's unreasonable to want reassurance on that score.

But I think your phrasing and framing of the question feels a lot more like a "gotcha" than anything else, and it's that feeling which motivated my prior comment - I'm not an AgileBits dev myself, but if I were, I'd feel strongly inclined to shy away from that question rather than trying to frame an answer that doesn't leave me open to a potentially hostile followup.

[tedmiston]

I understand a concern with my phrasing -- to be honest, I didn't put much thought into it as far as considering multiple interpretations.

I have sent a message to 1Password through the official customer support channel to ask the same question posed here. I'll update once they reply.

[tedmiston]

Update: Here's the response from earlier this morning:

> Thank you for taking the time to write to us here at AgileBits. The current version of the 1Password extension does not use regex to parse URLs for this exact reason. We don't autofill either, which also helps avoid issues like the one you mentioned.

[jonahx]

Fwiw, his question did not sound at all like that to me. Your reaction feels like unfair personal bias. Not trying to start a fight but you seem openminded enough to hear it so figured Id let you know

[throwanem]

Not at all. But I would be interested to hear what sort of bias you saw in my prior comment. I mean, I don't think you're wrong, but beyond the downvotes, I only have my own perspective to go on here, and I'd appreciate the benefit of having yours as well.

[nekopa]

Not the poster you replied to, but there were 2 types of bias I saw:

1: Defensiveness. It seemed more like an honest question than a pot shot. You seemed to read into it something like "Aha! How about your software fool!?!"

That said, if it were a reporter asking the question, then I would see it as a gotcha, because the use of the word confirm is used as a setup sometimes.

2: Tech bias. Not everyone on here is a Dev, and even though I know a fair bit about programming it would not be a trivial task to do what is simple for you regarding checking out code injections and what they do re a security standpoint. That would probably be a long afternoon of googling for me :)

Just my view...

[jonahx]

Sure. I took the original question at face value: It was a user who was concerned and wanted reassurance. Imo, it's a big leap to read it instead as a setup for a hostile "gotcha" style followup. I mean, is it possible? Sure. But there's no evidence for that interpretation. And to take a stats view, the bayesian priors aren't there (ie, most people aren't conniving snakes). Given that, it seemed to me that you were bringing your own kind of evidence to the table -- perhaps a personal experience in which you'd been similarly setup and mistreated.

[arcticfox]

Also, just because we're on Hacker News, it doesn't mean every reader is equipped to audit code for security vulnerabilities.

Presumably that's the job of a professional security developer that might reasonably be expected to have checked their own similar product for this vulnerability...

[throwanem]

Fair. I would, though, expect someone whose HN profile identifies him as an experienced full-stack engineer to be up to the challenge of spotting something as basic as an extension injecting code into untrusted DOM and trusting the results that code gives back.

[juandazapata]

Chill. There's no need to bash other people's expertise. We get it, you're an expert in the domain, but this is adding nothing to the conversation.