Tuesday, March 23, 2021

Substack’s Subscription Form vs. 1Password Autofill

Timmy O’Mahony (via Hacker News):

To state the obvious: there is no $2,023 plan here. There is a “founding member” option, but I’m sure I didn’t click that?

Wait, what did I do? I’m certain I selected “monthly $10", then I opened 1Password and clicked my saved card details. Then I hit “Subscribe”.


When I’ve clicked my card details in 1Password, it’s entered my expiry year in the hidden, custom subscription amount box[…]. Because this box has now changed value, the Substack UI has automatically selected this option. I’ve then hit “Subscribe” before I had time to notice and 💸 $2,023.


2 Comments RSS · Twitter

I think this is something Substack probably should have anticipated, and should have prevented by adding the autocomplete attribute to the two year fields, so that 1Password can properly identify them. Auto-filling credit card numbers is pretty common, and just having a field called "year" in your subscription form without any metadata identifying your fields is a pretty big oversight.

There are far more web sites than just Substack that don't bother to pay attention to details like these that actually matter.

Screen readers and other accessibility software also rely on the same attributes - I'd wager if you started making noise about such sites being hostile to the disabled they would take a sudden interest in sweating these particular details :p

Leave a Comment