Closed Bug 112260 Opened 23 years ago Closed 14 years ago

Password manager silently overwrites form-supplied values

Categories

(SeaMonkey :: Passwords & Permissions, defect)

Product:
SeaMonkey
Component:
Passwords & Permissions
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX
Milestone:
Future

People

(Reporter: bartvb, Unassigned)

References

Details

Attachments

(2 files)

Testcase; first open the '1' file, then the '2' file.
734 bytes, application/x-zip-compressed
Details
Form testcase
769 bytes, text/html
Details 
I'm one of the developers of www.phpbb.com
We have a problem with the admin interface to alter a user the DB. To change the
user the admin is presented with a form that contains:

<input type="text" name="username" size="35" maxlength="40" value="JohnDoe" />

Our general login screen also uses a 'username' field (together with a password
field). I've stored my username (BartVB) in for the site..

Now if I go to the user admin and want to edit a user the Form Manager changes
the 'JohnDoe' value of the form to 'BartVB'. IMO that's NOT the desired
behaviour. The Form manager should leave fields alone that have a VALUE set.

Can make a testcase if wanted.
Reporter: Please always include which "Build ID" you're using. Thank you.

And please do include a test case with a detailed step-by-step set of 
instructions for reproducing.  Unfortunately I don't understand what you are 
saying because form-manager never prefills a form unless you explicitly give it 
a command to do so.
Oops. Sorry, forgot the build number. It's the 0.9.6 release; Build ID 2001112009

If the Form Manager doesn't auto fill the form than this should be a Password
Manager problem..

Can make a testcase but not now :D First need to get some sleep...

Changed Component to 'Password Manager'.
Haven't reassigned because morse is default owner of Password Manager issues too
it seems :)
Component: Form Manager → Password Manager
Ok. Made a small testcase. See attachement or:
http://www.vanbragt.com/misc/moz_pm_bug1.html
and
http://www.vanbragt.com/misc/moz_pm_bug2.html

Fill in a username/pass on the first page and store it.
Now when you go to the second page the prefilled username (JohnDoe) will be
overwritten by the user/pass that are stored in the Password Manager. IMO this
is not the desired behaviour.
So what exactly is it that you consider the problem?  Is it the fact that 
password-manager is prefilling the second form with a value that it captured on 
the first form?  Or is it the fact that it prefills a field that already had an 
initial value in the html?

From the summary line I assume that you are referring to the latter.  I would 
argue that that is correct behavior.  An initial value is usually a suggestion 
from the website.  But if the user changes that to a different value, then 
submits and saves, it's obvious that the user didn't want to take the website's 
suggestion.  So on next entry to the page, the value that the user saved is the 
one that should be prefilled.

Indeed, it's the fact that it prefills a field that already had an 
initial value in the html..

It's not the same page in this case and websites don't suggest values out of
nowhere..

Anyway IMO Netscape should leave the fields alone (including the password field)
and should only fill it in during autocomplete or when you're on exactly the
same page as where you saved the username/password.

Current situation is very confusing IMO.

BTW while creating the testcase I got to the point where Mozilla kept asking me
which of 2 (identical?) identities I wanted to fill in as soon as I entered the
page. But I thought there was a different bug about that point already.. Will do
a search later :D
If we change the behavior, we should change it to "if the site suggests a 
username, only prefill a password if the user has saved the password for *that* 
username".  I think that would be a reasonable change, although it would break 
sites that put the text "USERNAME" in the username field until you focus the 
field.
Sounds like a reasonable change to me.
Don't know how the password manager handles these things but wouldn't it be
possible to fill in the password when the users types a known username over the
prefilled 'username' content?
Summary: Form manager overwrites fields with VALUE="username" → Password manager overwrites fields with VALUE="username"
By the way, http://evolt.org/ is the only site I know of that fills in 
username/******** in the boxes until you click on them.  http://www.cnn.com/ 
does something similar with its search field.  I find this practice confusing 
(and I'm sure it's irritating if you've disabled javascript), so I wouldn't 
mind if Mozilla changed in a way that encouraged web sites to leave these 
fields blank by default.
Target Milestone: --- → Future
confirming this bug (since it's a valid issue being discussed)
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 137823 has been marked as a duplicate of this bug. ***
Sorry I made a duplicate, but I'm glad to see someone noticed it too and
explained it. To bad it hasn't been solved yet ;)

It's there now for a couple of months and I saw it's still "new" and planned for
the "future". What does that mean?
Status: NEW → ASSIGNED
*** Bug 140592 has been marked as a duplicate of this bug. ***
This just bit me badly.  I've spent half an hour trying to figure why the hell
the user details I had in a user maintenance page weren't being displayed, but
_my_ details were always in there.

Finally, I look at the source to the page and find the user's details are all
there just fine, but at some point in the past (not today) I must have
accidentally said 'Yes' to the save login details prompt, and all fields on the
page (i.e. all details for that user) were saved.  Mozilla is now quietly
replacing the values my application inserts in there for the user record being
maintained, and writing my own details in there instead.

The current behaviour definitely has some non-obvious side-effects for people
who are administering a database of users, complete with password fields.

Even after I figured what was happening I spent some futile time wandering
around in the "Form Manager UI" trying to clear the data out before I twigged
that it was the "Password Manager"...

The Architecture should probably be 'All' as this is happening here on Linux
(1.0RC2), and presumably everything else since the original report was for WinXP.

Also, the description could maybe change to something like:
"Password manager silently overwrites all form-supplied values"

Since the forms I am dealing with here have fields for name, address, phone
numbers and lots of other things - not just username and password.
Changed description and OS
OS: Windows XP → All
Summary: Password manager overwrites fields with VALUE="username" → Password manager silently overwrites form-supplied values
It would be extremely nice (and terribly useful) if the auto-fill (both Password
and Form) could be disabled on a page by some HTML meta tag, or by Javascript.
 Expecially in "web apps", it becomes a real pain if a user clicks 'yes' on a
'remember the values filled in'. 
That metatag is the "autocomplete" attribute that can be put on either the form
tag or the input tag.
Thanks a lot - it's a real relief.

Is this attribute (and Mozilla behaviur with it) documented anywhere ?
[ read: how is anybody supposed to know about it ? ]

The autocomplete attribute is not in the HTML 4.01 standard:
http://www.w3.org/TR/html4/interact/forms.html

The only references I found are 
http://lists.w3.org/Archives/Public/www-talk/2000JanFeb/0017.html
http://www.htmlref.com/reference/AppA/form.htm

It's documented somewhere on the MS site.  You're not supposed to know about it
because we discourage its use.  However the financial sites insisted on it and
blocked our browser until we implemented it.
This seems related / to be the same issue. I have the setting 'Preferences ->
Privacy and Security -> Forms -> Save form data from webpages when completing
forms' to OFF.

However - if I save a password from a form, all other form elements but
textarea's are also remembered. This is not expected behavior.
A good example is the PHP bug database (http://bugs.php.net/). If I want to
modify a bug, I will end up modifying it's subject/bug category/resolution state
and even the reporter. IMHO the password manager and form saver should be
completely separated from the end-user's point of view. They serve different
purposes and are only related from an implementation point of view, especially
since they can be turned off/on independantly.
Further more - the current behavior is counter-productive and has nothing to do
with online purchases, for which form filling seems to be integrated in the
first place.
Sorry - build id: 2002101808.
*** Bug 147382 has been marked as a duplicate of this bug. ***
*** Bug 176642 has been marked as a duplicate of this bug. ***
*** Bug 152168 has been marked as a duplicate of this bug. ***
*** Bug 180679 has been marked as a duplicate of this bug. ***
Attached file Form testcase 
the 'autocomplete="no"' attribute does not solve the problem for me. I tried
putting it both on the form tag and the input tag with no changes in behaviour

Mozilla version:
Mozilla 1.2.1

Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.2.1) Gecko/20021210 Debian/1.2.1-3
Reassigning to new module owner.
Assignee: morse → dveditz
Status: ASSIGNED → NEW
I think there are some cases in which inserting automaticly and silently values
in a form can be quite irritating and, if not wanted or expected (like in this
example) and thus not controlled, can be quite dangerous. Imagine an admin who
changes a user profile and saves the form, not noticing that the user data is
overwritten with his own name and password. If there's a "forgot my password"
function, the user who has been overwritten gets the admin username and password.

It would be more secure and convenient to me if the user had manual control over
such autofill login mechanisms. Like an icon in the toolbar (next to print icon
or so) which is highlighted if you're surfing on a page where password manager
would be able to autofill the password. If desired, you click the icon manually,
leaving control to the user. Such a click is not far away and not annoying IMO.
A shortcut (like CTRL-something) would make it quikly accessible.

This would be much more transparent to the user.
I would also like to add my support to the idea that the current behavior is
invasive and causes user errors.  First, if a field has a value tag, then the
value tag should take precendence.  Only if the field has no value tag or the
value tag is empty should the browser consider _automatically_ filling in the
field, although I personally don't think I would ever turn that on
intentionally.  Second, auto-fill should be under explicit user control, similar
to how IE pops down a list of values that are known to have been filled in in
the past.  (Hey, IE isn't ALL bad -- it's just the competition -- plus you guys
seem to be imitating more and more of IE's good features anyhow.) 

I don't normally add semi-useless comments like "why isn't this fixed yet?" to
bugs, but in this case I'm making an exception. I develop a PHP-based CMS and
it's driving us mad.

This bug was originally reported nearly two years ago. Fixing it should be a two
line patch for whoever maintains this bit of the code. You only need to check to
see if the input box has already got data in it before filling it.

This is causing such seriously important issues in so many web apps that I'm
marking it a 1.4 blocker. Many people will doubtless disagree, but please if you
do consider the triviality of the fix, and the seriousness of the problem.
Flags: blocking1.4+
mozilla@almaw.com, please don't set flags if you don't know how.
Flags: blocking1.4+
i think this is a very bad bug, as it already took a long time for me searching
for strange "password changes" in our web-based user administration.

I would prefer the following solution:

If values are supplied by a form, a messagebox should show up to ask if the user
wants to overwrite the form-supplied values with the values stored by the
password manager.

I wonder why this is marked as a "new" bug as the first bug-report is from 2001.

I believe the priority and severity of this bug should be increased
dramatically.  I also believe the developers should act a little more quickly to
fix this bug (understatement).  On the other hand, it might help if some of us
were to try to locate the bug ourselves and offer a patch.  That may be the
mantra of a lazy or overworked maintainer, but if we want to get this fixed,
perhaps we should offer some help.

this bug seems to be ignored ... why ? what can i do about it ?
could anybody raise the priority ? 

this bug is marked "new" but it's first reported 2 years ago!
(no, i can not provide a bugfix, as i am no "C"-programmer)

note that this has been fixed in firebird (bug 216395).
This wasn't fixed correctly in Firebird.  See bug 218135.
I'm going to add me "me too" as well.  I've developed a web interface for an
embedded system.  There are four userids, but only two of them can have their
password changed.  Here's a scenrio:

1) User logs in with one of the two userids that can't be changed
2) User selects "change password" page, so that he can change the password for
another user
3) That page has the following tag: <input type='text' size='7' maxlength='7'
name='user' tabindex=1 value='admin'>
4) However, instead of seeing "admin" in the "User ID" prompt, he sees his own
password, "dev".
5) User then thinks that he can change his own password, even though he can't.

Here's a more obscure scenerio:

1) User logs in with userid "dev" (one of the userids that CAN'T change its
password) and tells Mozilla to remember the userid/password.  User then logs out.
2) User logs in with userid "admin" (one of the users that CAN change its
password), but does NOT tell Mozilla to remember the userid/password.
3) User goes to the change password page, that has this HTML in it: <input
type='text' size='7' maxlength='7' name='user' tabindex=1 value='admin'>
4) User expects to see "admin" in the User ID: field, but instead sees "dev". 
Why?  Because Mozilla was told to remember "dev" on the login page.  This web
page is completely different, but the input tag has the same name: user. 
Mozilla thinks the two forms are the same, so it overrides "admin" with "dev".

Please fix this bug!
This bug will never be fixed. Still marked as new since 2001.
I gave up using mozilla because of this bug.
I can not recommend it to our customers because silently overwriting server 
supplied form data could cause lots of trouble in environments where more than 
one password is needed.
Server supplied form data should never be overwritten by the browser (without 
confirmation), and no other browser but mozilla is doing that.
Obviously nobody is interessted in fixing this bug, so i will stop any bug 
reporting from now on.

This is a horrible bug.  It's bad that this doesn't get any attention.  It 
could be that Mozilla has a lot of bugs that are far worse than this one, and 
the maintainers just haven't gotten around to it.  That isn't encouraging.

I don't have any knowledge of the internals of Mozilla, so I can't fix it 
myself.  If we want this fixed, one of us is going to have to bite the bullet 
and submit a fix.  I'm sure it'll be accepted.

*** Bug 175602 has been marked as a duplicate of this bug. ***
Note that a workaround for this issue is to uniquely name your form fields for
login vs user administration.  The browser will not overwrite form fields unless
they have the same name.
*** Bug 262678 has been marked as a duplicate of this bug. ***
One of the comments and links in this thread suggests to use autocomplete="no".
Most pages I found on this subject on the other hand suggest autocomplete="off".
The former does not seem to work (tested on Camino20041021), the latter does.
It's about time this tag became standardized and documented!!!!
Seems that Password Manager is still playing with the users nerves.

If there is no option to set the auto-fill on at user request (see Additional
Comment #28), then I suggest the "Undo" Feature. At user command the previous
values would be restored.
Product: Browser → Seamonkey
I agree with most of the comments that this is a somewhat insidious bug.  

I have a basic form that requires a generic password, known to a group of
people, to stop casual users from altering data.  The password is just for the
form, and not related to any username.  One of the fields on the form is
"Author".  When editing the data, the "Author" field is pre-supplied by the
form.  However, Password Manager assumes that the "Author" and "Password" fields
are linked, and fills both in, overwriting the form-supplied field.  This is not
the desired result.  In my case may be able to get around it by supplying a
dummy "username" field on the form - to fool Password Manager.  But before I
recognised the problem I overwrote existing data a number of times.

Very dangerous if you are not aware of it.  In my opinion, form-supplied data
should absolutely take precedence over Password Manager.  Often it is supplied
by a database, and should not be changed.  There are some cases when this might
cause hassles - ie when the form supplies an initial value that is expected to
be changed.  But most sites would just supply a blank box in that case.

If the form doesn't supply data, then perhaps Password Manager can fill it in. 
But even that may cause some issues.  I haven't thought it through.
I'm experiencing the problem described here:

http://drupal.org/node/433
It's been 3 1/2 years, will this ever be fixed? Sounds to me like the only
reason it's not being fixed is that some people want this behavior for those
annoying websites that put initial throwaway text in login fields. If that's the
case, then why not just add an option under the "Save Passwords" options to
"only auto-fill blank form fields", or make it a setting in one of the user
config files like user.js.
I've tried added AUTOCOMPLETE="OFF" to my form tag, but it doesn't seem to do
anything (using Firefox 1.0.6 on Windows XP). How do you get this thing to work?
Currently I have to use Internet Explorer whenever I need to administrate users,
'cause unlike Firefox, their password management system actually works correctly.
For those following this bug, Bug 270558 appears to be similar, almost to the point of being a dupe.

I see this behavior on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 (looks like 1.5 didn't fix it).
Assignee: dveditz → nobody
Bug 270558 is the equivalent bug for Firefox.  This bug is for Seamonkey.
When will this bug will be corrected ?
This bug appears to be fixed in Firefox 2. I was able to reproduce it in 1.5 but not 2. Can anyone confirm?
Ooops. I just understood Jesse's comment. It is fixed in 2, just not in Seamonkey I guess.
(In reply to comment #54)
> *** Bug 309312 has been marked as a duplicate of this bug. ***
> 

I still have this problem with the last seamonkey. But I never had this problem with firefox.

It happens on a page using javascript to modify the password for an account.

Here is an extract of the code used :

>function EditUser( pass_text, pass_value,  boite_text, boite_value ,loginid)
>{
>	var pass = prompt(pass_text,pass_value);
>	if(pass)
>		var folder = prompt(boite_text,boite_value);
>	if((pass)&&(folder)) 
>		top.BAS.location = >'?action=edit&pass='+pass+'&folder='+folder+'&loginid='+loginid;
>}

> <input value="Edit" onClick="EditUser('Nouveau PassWord :', 'my_password', 'Nbre >de boite?', '1','42');" _base_target="BAS" type="button">

When clicking on the button, the current password should appear in a dialog box, to allow it to be changed, instead of that the dialog box doesn't even appear and the password is crushed with another linked to the website url...
QA Contact: tpreston
This problem of silently overwriting password fields that have a "value" defined is still occurring in Firefox 3.0.4 (rv:1.9.0.4).

I have a login page that defines "user" and "password" fields.  I ask the Firefox password manager to remember these for me, and it does that well.

However, there are other pages in my site where I am updating user records, which also have a "password" fields (and the value is set to "********"), so the HTML looks like

<input type="password" name="password" value="********" size="20">

When I process this form, I look for the asterisks in the password to tell me if the user has changed this field.  If they have, I update my database with the new password, otherwise leave it be.

When rendering the page, Firefox is changing this value to the saved password that is used to enter the site.  (The easiest way to see this is the number of asterisks is no longer 8).  If I click on the "Reset" button, then Firefox puts back the specified value of all asterisks, but if the user does not know to do this, then the password is incorrectly written to the database.

This only started happening recently with Firefox, but it really needs to be addressed.  The password manager needs to remember the exact page that uses the password, not the domain.
SeaMonkey 2.0 is now using the toolkit password manager. The wallet code is now obsolete.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: