This is an example of a common antipattern in software: some piece of software fails to correctly implement something (here, modern HTML autocomplete="cc-exp-year"), and another piece of software goes through all kinds of contortions to work with incorrect or incomplete implementations with the result that it now behaves undesirably with a third piece of software. Specifically, 1Password has to do complicated guesses of what to fill where because many sites don't set autocomplete properly, so inevitably it will guess wrongly sometimes.<p>Other examples are problems with lock files and file versioning (because programs tried to roll their own when the operating system didn't provide them), and the complexity of parsing "HTML soup" and emails with all kinds of bizarre invalid syntaxes.<p>I can't offer a general solution, but if password managers simply refused to autofill to any field other than the one with the matching standard autocomplete attribute, web developers might start doing the right thing. (Do Safari, Chrome and Edge already do this? Only they have the clout to make it happen.) The user could still fill out a text box lacking the standard autocomplete attribute by right-clicking and manually selecting the correct field. Password managers should also get cheaper because their vendors would not need armies of developers adding workarounds for popular sites.<p>Somehow this kind of nonsense has become culturally acceptable in the software industry. If the car industry worked this way you'd have to take your car back to the dealer once a month to be patched to take account of constantly changing fuel formulations. Standards exist for a reason.
I had a similar 1Password moment. I was buying airline tickets; entered my name, my wife’s name, address, declined insurance, declined hotel offer, scroll scroll scroll... Then I let 1Password fill in my payment details, which it did perfectly fine. But... what it ALSO did, on a field now well off the top of the screen, was change my wife’s first name to my full name.<p>I caught this when I got the confirmation email. I called the travel website, and they said since it was within 24 hours I could just cancel the tickets for free, or if I liked I could pay an outrageous fee to the airline to change the name on the ticket. Unsurprisingly I chose the former.<p>So, nor harm done, but if we’d gotten to the airport and my wife couldn’t come on holiday because I didn’t have a ticket for her... could have gone badly. :P
I've put "temporarily" in the title because the post now says the money has been refunded. The article is worth leaving up because, unlike the typical riler-upper, it touches on a phenomenon which is interesting in its own right. But I don't think it's fair to leave up a title that implies that there's an uncorrected injustice to get angry about. If anyone has a better solution, we can do that instead.
Yikes. I love my password manager, but I decided when I got it that I was never going to use the browser extensions. Putting your password manager anywhere near your web browser just seems like insanity to me (all the exploit write-ups I recall about password managers were related to browser extensions and sandbox escapes).<p>This seems like another reason. It's not worth it. Keep the password manager in its own app and apply the tiny extra effort of pasting the password from there.
That order form has poor usability.<p>1. It uses placeholder text instead of a label. See "Placeholders in Form Fields Are Harmful" <a href="https://www.nngroup.com/articles/form-design-placeholders/" rel="nofollow">https://www.nngroup.com/articles/form-design-placeholders/</a><p>2. It hides the fact that the "$250/year" is actually a text box. See "Long-Term Exposure to Flat Design: How the Trend Slowly Decreases User Efficiency" <a href="https://www.nngroup.com/articles/flat-design-long-exposure/" rel="nofollow">https://www.nngroup.com/articles/flat-design-long-exposure/</a><p>3. The app makes the text box into a button plus text box. As a button, it modifies its parent widget, the radio button. This is unexpected behavior. The app would be better to show the text box after the user selects the "Founding Member" radio button. That would make the text box subordinate to the radio button and reduce user errors. See
"8 Design Guidelines for Complex Applications - 6. Reduce Clutter Without Reducing Capability" <a href="https://www.nngroup.com/articles/complex-application-design/" rel="nofollow">https://www.nngroup.com/articles/complex-application-design/</a>
I wish sites would test their forms with popular password management systems. This kind of thing happens all too often (thought perhaps not with such a high cost). Why not make it easy for people who auto-fill with these programs -- don't fight them.<p>(And I won't get into sites that won't let you paste passwords into their forms.)
Just wanted to add some detail on how the 1Password extension operates here, since the term "autofill" can be ambiguous:<p>1. The "autofill" function only fills in the credit number when the user specifically tells it to; it does not proactively fill forms with no user intervention.<p>2. "autofill" does not automatically submit the form after filling (although certain forms may be implemented to submit automatically once complete); in this particular case, the user still has a chance to review the completed form before manually clicking the subscribe button.
This is exactly why I don't trust autofill. How many times has it passed along information you didn't intend, but <i>without</i> any obvious errors? Nobody knows.
The abominable UX in this situation is that users need to give free access to their credit card for payment, at the promise that the other party will play nice. This is backed by strong laws, but still absurd.<p>The control should be inversed: the 3rd party should request payment from your bank and you would be able to confirm it from the bank website or app.<p>This is already possible in Portugal with an app where you can give a seller your phone number and it prompts you for payment.<p>(might be something of a privacy issue, but it beats a possible fraud issue)
That's one of the reasons I don't want to use 1Password and instead I'm just using old KeePass. KeePass fills what field I've selected. 1Password does its own magic and I don't like magic. KeePass might be slower, but I'm not filling those forms every day, so I can live with it. Basically KeePass does simple thing and does it well. 1Password might be good at doing complex things, but it does not have AI.
I see a lot of comments blaming either substack or 1password, but to me it seems the archaic transaction method of credit cards deserves most of the blame for these kinds of problems.<p>If the transaction authentication takes place on a separate page hosted by your own bank (so after the amount has been finalised) these kinds of mistakes can't happen. Unless the user neglects to look at the shown amount, but then the user is clearly at fault.
I've updated my blog post to include 1Password in the title as it contributed to the issue (I can't update the title here). That said, I've never experienced this before, having used 1Password on 100s of other payment forms so something is up.<p>I do think there are design issues with people being able to set subscription amounts manually without having a confirmation step when doing so.
Here's another report today of someone wrongly paying $2023 per year for a Substack newsletter: <a href="https://twitter.com/jessesingal/status/1374019267147018243/photo/1" rel="nofollow">https://twitter.com/jessesingal/status/1374019267147018243/p...</a><p>Maybe it's the same subscriber and/or same publisher as in this blog post? If not, that would either be a very unhappy coincidence or a strong signal to Substack that they need to fix this issue.
I see replies blaming 1password being downvoted, so I'll ask a question instead. Why would 1password decide to fill out that particular input with the expiration date?
Just because a lot of people are commenting on this without seeing the form, if you go here[1] you can see it in action (no association with the page, it was the first one that turned up on Google).<p>A couple of takeaways missed by various comments:<p>The hidden input box can in fact be manually edited, and if the user selects "Founding member" that fact is highlighted (the cursor is inserted into the textbox).<p>The hidden input's name attribute is "value". The guess that 1Password is basing its guess on the "/year" text is probably accurate.<p>[1] <a href="https://nonlinearproject.com/subscribe" rel="nofollow">https://nonlinearproject.com/subscribe</a>
The deeper problem here is that credit card numbers are obsolete. Websites should be using Apple Pay and similar stored payment info APIs that don't go through an unnecessary error-prone user-facing interface. (Yes, Apple etc. are oligopolists, but so are Visa/MasterCard)
An article on HN a few years ago on how easy it is to steal data using auto form fill.<p><a href="https://news.ycombinator.com/item?id=13329525" rel="nofollow">https://news.ycombinator.com/item?id=13329525</a><p>For this reason, never use auto form fill.
This is why I don't have my credit cards stored for "easy" input and submission and instead always enter them manually<p>I really wish Dashlane would let me disable the reminded to save my credit card details as this is a feature I do not care for
I don't doubt the story, but if the expiry year was in the wrong field, why did the payment go through?<p>Did 1Password fill in the year twice? That would be a huge bug. Or will a fraud detection system ignore the missing year if everything else is fine?
It was not expensive, merely inconvenient, but 1Password and Waze combined to give me a two hours of frustration in December. At the end I went back to the beginning and reported the experience here. I wrote on twitter,<p>"Let's follow a trail of really Bad Tech Decisions between Waze and 1Password."<p>-- <a href="https://twitter.com/cpp_delphi_dave/status/1335639039295303681" rel="nofollow">https://twitter.com/cpp_delphi_dave/status/13356390392953036...</a> to read more. It's short.<p>Of the two, 1Password did reach out, but Support emails went nowhere. Waze never reached out at all.
Interesting bug. Appreciate the post and the disclaimer at the top but IMO the headline should be updated too. Right now it’s a bit clickbaity and also inaccurate.
This story reminded me of my experiences working in a bar (in the UK, chip-and-pin was a thing but contactless was only just rolling out) It was mainly a student bar so basically every card was a debit card...<p>I occasionally would come across declined card receipts from the machine for some 6 figure amount that had been attempted to charge. Was concerned at first but what had happened was clearly the staff member had forgotten to press enter after typing in the amount, the customer still saw the amount - put in their pin, enter, now it says type pin, try again, then panic when their bank declines it. Luckily the only bad thing that would come out of this is that they should go to the ATM and change the pin, after running the transaction again properly.
I use a prepaid card online, which would have been a good safety net against things like this<p>Also he was able to get a refund, and i think in most places online, you can cancel the order
You are lucky. I was trying to get a refund from fax site where they let you enter a value into dropdown and then happily charge you default value.<p>I tried to dispute it with them, tried to dispute with Paypal and itdidn't protected me, even if I had evidence in a way of showing how the UI is not working and the charge - the answer was always "not enough documents provided". Luckily it was only $10, but maybe I should also have posted on HN
It's interesting Substack is getting the blame here rather than 1Password.<p>Ultimately, though, I think it's two separate systems doing the best they can to work together, and failing. Payments should be handled by the browser, like how mobile phones do it. I loathe giving Google or Apple more power/control, but this is a situation where I'm still genuinely shocked how rudimentary payments online are.
Ironically, the founder of my company and I spent over an hour breaking apart this exact page yesterday talking about its UI. There are a lot of really good things that this page does right (shows tradeoffs between different tiers in a way that's not confusing at every tier), but... yikes. Sorry to hear about this.
One of my utilities likes to add an extra bit of login confirmation with a question, like, "What is your favorite sport's team?". Every time, my password manager prompts me to overwrite my site password with answers to those questions.<p>It's like walking over a railroad bridge that's falling apart.
It's been a while, but a similar thing happened to me. The delivery address form was on the same page as the cart, and my autofill put my zip code into the article amount. A little shocking at first to see a bill of 65,000€ instead of 12€, but at least it took less than an hour to resolve.
Great to hear that this got resolved and fair play to Substack for that, but this is inarguably a 1Password bug. If there had been any issue with resolution, they'd be the party I'd be chasing.<p>Other commenters here have bemoaned the need for these kind of heuristics in dealing with compat with bad HTML form implementations, but there's an easy fix to that: origin-based compat lists. Browsers do this for quirksmode/website compat fixes: they apply heuristics to a specifically tested list of sites. And browsers need to work with a much larger set of webpages than 1Password, so there's no reason 1Password couldn't do the same.<p>There isn't really any good excuse for applying heuristics blindly by default to a wide range of websites you have not tested those heuristics against. There might be an argument if it increased overall compat with the web IF these weren't highly sensitive pages (1Password saves credit card details!), but in this case there isn't really any excuse. The cost of achieving "blind" compat with smaller sites is too high in this case.
1Pass definitely needs to add some kind of notice or alert when it fills in hidden fields. And it really needs to not overwrite a field that’s already been filled in. It’s really frustrating when it decides to h do everything you typed in.
After seeing 1Password's automatic form filling behavior in action almost a decade ago I decided not to use it just in case of this sort of thing.<p>I'm happy to use for storing my passwords and maybe logging in but that's about it.
Whoa. That's absolutely insane. And yet now that someone has demonstrated it I can see this turning into a dark pattern that a variety of less scrupulous sites will use in the foreseeable future.
Why are those fields not overridden in the backend?... If the back-end doesn't check those fields are what they should be for each option then the reverse could also be true (free membership)
I only let my password manager fill in passwords. It’s less efficient for sure but my cc details are in muscle memory and filling out my name and address doesn’t really bother me too much.
OSs need to provide credential management with APIs to let users choose their password manager, and then browsers can use OS support. Only then can we stop the madness.
Nevermind that, does that mean that their billing has an exploit and I can buy Substack Founder for $1? Or can I convince their system to bill me -$1 for that matter.
Has anyone noticed that NameCheap's login page makes the newsletter field get filled in when you use a password manager to autofill the login page?
The author knew from the beginning it wouldn't "cost them $2023", but that it would most likely be solved by a simple support request. The title is misleading.