Closed Bug 1093183 Opened 10 years ago Closed 3 years ago

New tabs tile for Wells Fargo Online undesirably shows bank username

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
32 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dylan.cross, Unassigned)

References

Details

(Keywords: privacy)

Attachments

(1 file)

FFSec.png
174.74 KB, image/png
Details
Attached image FFSec.png 
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140923175406

Steps to reproduce:

Concise: 
Use online banking commonly
Press ctrl+t
Look at tile for bank site

Expanded: One of my more commonly visited site is my online banking so it shows up on a tile when I press ctrl+t as a shortcut. When I look at the tile for the Wells Fargo site, I see my username in the screenshot of the page.



Actual results:

As it is online banking, I don't save my username or password for security. However, firefox saves a screenshot in which any user on my browser can see my username. Attached is a screenshot, with my actual username disguised. 


Expected results:

I expect and would insist my username not appear on the tiles screen just as it by default does not show up on the page when I view it.
Severity: normal → major
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Keywords: privacy
Resolution: --- → DUPLICATE
Group: core-security
Bug 755996 is too broad to be useful, we need to debug some specific cases.

This case looks like an example of a the username form field being autofilled. If we're capturing in the foreground, that makes sense (either we're capturing after the password manager filled it in, or the site itself is remembering it via a cookie). Not much we can do about that. The site could in theory set the "Cache-Control: no-store" header to prevent it, but presumably they don't want that in this case since this is just the sign-in page.

If we're capturing in the background, our background thumbnailer tries to avoid capturing anything sensitive by not sending cookies, but it's possible we're still auto-filling username/passwords in these background loads. If we are doing that, we should probably prevent it somehow.
Blocks: 755996
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
Component: Untriaged → General
Gavin,

To clarify:
When I go to the site, there isn't any auto-fill either by the website or firefox. The site won't do it (as it's a bank site), and I've declined the firefox option to remember (as it's a bank site).

I hope that helps.
(In reply to Dylan Cross from comment #3)
> To clarify:
> When I go to the site, there isn't any auto-fill either by the website or
> firefox. The site won't do it (as it's a bank site), and I've declined the
> firefox option to remember (as it's a bank site).

Given that the screenshot shows a filled in username, that suggests that we just happened to take a snapshot while you were typing. We take snapshots 1 second after tab switches, or after scrolling, or after the page finishes loading.

Hi,

I don't have the proper credentials to access Wells Fargo to test if this is still reproducible.

Given the fact that this is a 7-year-old bug, it seems to me that it may be outdated. Could you please check if this is still an ongoing issue?

Thanks in advance,
Virginia

Flags: needinfo?(dtownsend)

Not sure why you needinfo'd me

Flags: needinfo?(dtownsend)

Closing this as Resolved - WFM since we don't have enough information to reproduce this issue, and the eporter is inactive.

If this is still being investigated or the issue is ongoing, please reopen it.

Thanks,
Virginia

Status: REOPENED → RESOLVED
Closed: 10 years ago3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: