Closed Bug 1159762 Opened 10 years ago Closed 6 years ago

Consider adding Saved Passwords to the Clear Recent History options

Categories

(Toolkit :: Password Manager, enhancement, P5)

Product:
Toolkit
Component:
Password Manager
Version:
37 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: joshbibb9, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150415140819 Steps to reproduce: 1) Log into gmail, have browser remember password 2) While logged into gmail, clear browsing history, cookies, active logins 3) Gmail will kick you out to one of two places- either their main page, or a login prompt 4) If you get kicked out to the main page, click on 'sign in' 5) Once you are at the login prompt, observe the page Actual results: The login prompt does not have my gmail account autofilled, the 'email address' field is left blank. HOWEVER- the password field is still autofilled, with the correct password to boot. This presents a significant security risk because now anyone who knows my email address can sign into my account freely. Expected results: The password field should absolutely not, under ANY reasonable circumstances, autofill before the account that the password is saved with is entered. I would expect the password field to not populate until I have entered my mail account into the appropriate field. This appears to be how the 'password saving' works on other sites with logins I've used, but for some reason not with gmail.
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
If you go into Tools > Options > Security, and click "Saved Passwords...", and filter for google.com and/or the domain where you see this, is there or is there not an entry with no username listed? Because I do have such an entry, and it would explain exactly why this happens.
Group: core-security
Component: Untriaged → Password Manager
Flags: needinfo?(joshbibb9)
Product: Firefox → Toolkit
There is in fact an entry with no username for accounts.google.com. Is this expected behavior then? It still seems erroneous to me that a user/key pair could be stored without the user part.
Flags: needinfo?(joshbibb9)
(In reply to Josh Bibb from comment #0) > 1) Log into gmail, have browser remember password When I test this via loading gmail.com and clicking "Sign in" in the top right, Firefox successfully saves both the username and password but an older version of their page didn't have the username available (bug 888664) for Firefox to know what to save as the username. Are you still able to get a Google login saved with only a password? If so, I would like to fix that. > HOWEVER- the password field is still autofilled, with the correct password to boot. I think this is the main issue reported in the bug. I believe you were using the Clear Recent History dialog and were expecting one of those options to also remove passwords but none of those do that. Some of us were actually discussing that option yesterday. If you want to delete passwords you need to use the dialog mentioned in comment 1. Note that the Forget About This Site feature should work on saved passwords. (In reply to Josh Bibb from comment #2) > There is in fact an entry with no username for accounts.google.com. > > Is this expected behavior then? It still seems erroneous to me that a > user/key pair could be stored without the user part. Yes, it's expected behaviour when you are in that state. There are valid use cases for websites to have only a password without a username (e.g. shared passwords) that users want saved. In development versions of Firefox we recently added the ability for the user to add a username to a password-only login at the time of saving (bug 1145913) so that should help. The username and password will eventually be editable in other UI as well. We also have a known issue that we never ask if you want to add a username to a login if you later use the saved password in a form that has both a username and password field detectable (bug 1016051). We're working hard this year on improving the Firefox password manager so I very much appreciate the bug report.
Severity: normal → enhancement
OS: Windows 7 → All
Hardware: x86_64 → All
Summary: Firefox erroneously populating gmail password field, with full, correct password, after clearing browser history → Consider adding Saved Passwords to the Clear Recent History options
(In reply to Matthew N. [:MattN] from comment #3) > for Firefox to know what to save as the username. Are you still able to get > a Google login saved with only a password? If so, I would like to fix that. I just cleared all my stored passwords, cleared the history again, then saved my google login, and it did in fact create the record again with the username stored as well. Looks like what I was seeing was a result of the last time I saved that password being when they were on that older version of the page then. I appreciate you guys taking the time to offer feedback and understanding
Priority: -- → P5
See Also: → 472226
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.