187237 - first popup-type authentication saved in password manager used to fill in all subsequent forms automatically.

Status: VERIFIED DUPLICATE of bug 184436

(Firefox :: General, defect)

Description

[ron adams]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5

Any site that pops up one of those "enter password" type prompt boxes now allows
phoenix to save the password in the password manager. The first saved password
is then used to fill in all subsequent popup forms including non-password forms
(such as bookmarklet that comes with mozilla "Quick Searches -> Dictionary Lookup")

I dislike sending my saved router password to m-w.com when i want to lookup a
word, but the form entry gets filled in automatically with my passwords. Not good.

Where is the password manager?


Reproducible: Always

Steps to Reproduce:
1. Go to: http://www.he.net/~jdoe/info/htaccess/demo.html
2. Click on the first link on page "Restricted Information"
3. type in John as username
4. type in orange as password
5. Check "Save password blah blah" checkbox below so it saves it.
6. Enter site. Done with password saving part.
7. Use a bookmarklet that prompts user for input, such is the famous "Highlight
Text" bookmarklet that highlights the text a user inputs on a specific page. 
Bookmarket below, create a new toolbar bookmark, add this below as the URL

javascript:Qr=document.getSelection();if(!Qr){void(Qr=prompt('Enter word to find
in Merriam-Webster
Dictionary:',''))}if(Qr)location.href='http://www.m-w.com/cgi-bin/dictionary?'+escape(Qr)+'
'
8. should notice that the m-w.com search says...
Suggestions for [first password in your database here]
9. be scared.
Actual Results:  
first password saved in password manager is filled into the prompt. Using the
above bookmarklet searches for that password on the page, and if not found,
displays the following in the statusbar...

"Found 0 occurences of '[password]'."

Can no longer use such bookmarklets.

Expected Results:  
let the user fill in the textbox.

Here is the bookmarklet, drag into your toolbar.
<a href="javascript:Qr=document.getSelection();if(!Qr){void(Qr=prompt('Enter
word to find in Merriam-Webster
Dictionary:',''))}if(Qr)location.href='http://www.m-w.com/cgi-bin/dictionary?'+escape(Qr)+'
'">Highlight Text</a>

Comment 1

[ron adams]

I've tested this in Windows 2000, debian linux 3.0, the following builds. Both
reproduce the same failures.

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5

Comment 2

[David P James]

Attachment: Javascript bookmarklet

You lost me between 5 and 6... after 5 I get a page that says the following:

"Restricted Document
You've successfully accessed this document as either user john with password
orange or user sheri with password apple.

Back To .htaccess Demo"

Where to from there? And I do not fully understand 7 either.

I managed to put a bookmarklet on the bookmarks tool bar, and, after cleaning
it up, it gives me a pop-up that tells me to enter a word to find in the
Merriam-Webster dictionary. I chose "debian" and it returned a list of other
words I might have been thinking of. Typing 'o' instead did not give me a
suggestion of "orange". Finally, just pressing OK with nothing in the field did
nothing either.

I'm turning your script into an attachment which hopefully will either be
dragable or the first link once you open the attachment will be. Using that,
please start at instruction 5 (or rather, 6) and redescribe how to do this.

Comment 3

[David P James]

Ok, the attachment worked. Click on it
http://bugzilla.mozilla.org/attachment.cgi?id=110421&action=view
and then you can drag the "Highlight Text" to your bookmarks toolbar.

Comment 4

[Jesse Ruderman]

*** This bug has been marked as a duplicate of 184436 ***

Comment 5

[Simon Paquet [:sipaq]]

mass verifying.