Remember password on battle.net saves period characters
Categories
(Toolkit :: Password Manager: Site Compatibility, defect, P3)
Tracking
()
People
(Reporter: medhefgo, Assigned: severin)
References
()
Details
(Whiteboard: [fixed by bug 1532377])
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160502172042 Steps to reproduce: After logging in on https://eu.battle.net/login firefox asks to remember the password. If you let it do so, it will instead save a password consisting of dots ("........" in my case) instead of the actual password entered. Obviously, logging in with the saved password later will fail.
|
||
Comment 1•8 years ago
|
||
Thanks for the report. Note that the workaround is to correct the password in the capture password prompt before clicking remember (even though you can't yet reveal the plaintext there). We might instead offer to change the password to periods upon successful login though. The issue is that we capture the correct username and password from the form submission but then battle.net calls .click() on the submit button after replacing the password with periods matching the length of the password so we replace our doorhanger prompt with the new one having the incorrect password. It would be useful to know if the correct password is successfully captured in other browsers. This cannot be worked around with our current recipes since I don't see any attribute change in the ancestors from the type=password. Some possible solutions: A) If a doorhanger is already open and we plan to show another, don't replace the doorhanger if the new password contains the same character repeated (in this case a period but I've seen other mask characters used). B) Create a new recipe type to provide a selector or some JS code to run in the context of the page to decide whether to capture. It seems like we can use the @value attribute of the #useSrp or #publicA elements to know whether to capture or not. C) Stack the doorhanger contents (this is probably ugly and confusing) so we would offer both passwords The solution should also ensure we don't offer to change a password to "....…" as well.
Chrome does save the correct password, though it doesn't auto-complete it on further login attempts.
|
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
|
||
Comment 3•7 years ago
|
||
(In reply to Matthew N. [:MattN] (behind on bugmail; PM if requests are blocking you) from comment #1) > Some possible solutions: > A) If a doorhanger is already open and we plan to show another, don't > replace the doorhanger if the new password contains the same character > repeated (in this case a period but I've seen other mask characters used). > B) Create a new recipe type to provide a selector or some JS code to run in > the context of the page to decide whether to capture. It seems like we can > use the @value attribute of the #useSrp or #publicA elements to know whether > to capture or not. > C) Stack the doorhanger contents (this is probably ugly and confusing) so we > would offer both passwords > > The solution should also ensure we don't offer to change a password to > "....…" as well. Can we detect what the user actually entered in form (fields), and reject the updated password if it doesn't correspond to user input? Might be a more generic solution.
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
|
|
||
Comment 4•7 years ago
|
||
I can confirm this is an issue in the Safari browser as well. I would have tested Chrome but it seems Google holds your saved passwords hostage until you sign your access over to them. I assume this is a site issue rather than a browser one and I'll pursue it through Blizzard's tech support forums.
|
|
||
Updated•7 years ago
|
|
||
Comment 6•7 years ago
|
||
The goal should be that once the password is saved the next autofill and login should never fail due to a wrong password. But I wonder if this can be achieved racecondition-free as for example a site could alter the password field value on hovering the sending button (for example to apply client-sided encryption) which would cause only 1 doorhanger to show up which would already save the wrong password (as the next autofill/login would have a double encryption in this example).
|
||
Comment 7•5 years ago
|
||
I can't reproduce this anymore in Nightly with the default (not facebook or google) form on https://eu.battle.net/login
The Save Password prompt has the password I typed. Reporter, can you still reproduce this? Its possible the site has changed that login behavior since this was filed.
I tried this again and it's still happening for me on Firefox 66. At first it wouldn't reproduce, so I did some digging.
After removing the saved password for battle.net in the manager, Firefox prompted me to save the wrong password again ("........"). On my next login attempt, it would prompt me for my correctly typed/copypasted password. After saving that, login attempts will work from there.
Now here is something that's really interesting imho: remove the password, login for the first time, but instead of saving the wrong password with dots, you "correct" it in the save password prompt of Firefox to a completely incorrect password. Obviously, the next login would still fail with that, but once you login with the correct password firefox will again ask you to save the "........." instead of the correct one like it would in the first case.
I assume your password was already correctly (or as dots) saved? If it helps, I tried a new password in case it was some weird characters that caused it, but even a simple one like "kn5t0osw9etg" is triggering this.
|
|
||
Updated•5 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Description
•