1098348 - Saved Password is garbled for a certain site (Password Manager)

Status: RESOLVED INVALID

(Toolkit :: Password Manager, defect)

Description

[Martin Richartz]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141030112145

Steps to reproduce:

1. Using a certain online banking site to log in with account number and password
 (I will disclose the site URL via PM)
2. FF asks whether to save password
3. User confirms to save password
4. Next time entering the account number, FF will fill in the password (which is indicated by showing dots in the password field).
5. The login fails/is rejected


Actual results:

After two or three attempts, the account was blocked by the bank. I consider this a Denial-of-Service bug, since the online access is business-critical.
Looking up the saved password, it turns out that the stored  6-character password is permuted, i.e. the length is correct and the characters are all there, just not in the correct order. Each attempt to store the password again results in a new permutation of the saved password.
I have verified this with various versions of FF up to 33.1, on Windows and on Mac.


Expected results:

The password should be stored and entered correctly (or not at all) but never permuted.

Comment 1

[:Gijs (he/him)]

I bet that the bank website modifies the password in place and that's how we store the "wrong" password in the password manager. I'm not sure why just the URL (not username/password) would be security sensitive, though - can't you just post it? :-)

Comment 2

[:Gijs (he/him)]

I discussed with Martin via email, and it seems the bank does mess with the form input before the form is submitted. Unfortunately we can't really fix that kind of case.