Closed Bug 1300751 Opened 4 years ago Closed 4 years ago
Old password field automatically populated when one wants to change its password
[Affected versions]: - Firefox 49.0 RC - latest Developer Edition 50.0a2 - latest Nightly 51.0a1 [Affected platforms]: - Ubuntu 16.04 32-bit - Mac OS X 10.9.5 - Windows 10 64-bit [Steps to reproduce]: 1. Sign-in to sync 2. Visit about:preferences#sync 3. Click 'Manage Account' 4. Click 'Change' from Password section 5. Click 'Cancel' from Password section 6. Repeat step 4. [Expected result]: - At step 4 'Old password' field is empty and the user is required to enter the old password. [Actual result]: - At step 4 'Old password' field is already populated with the existing password. At step 6 the field is empty as it should be. - This behavior can also be seen with Delete account section. [Regression range]: - I am unable to search for a regression due to the fact that this is a server side issue. [Additional notes]: - Screencast showing the issues attached. - I've already seen a similar bug on Android (bug 1213812) that has been marked as wontfix but IMHO this is a real privacy issue.
Ryan, what do you think? Is this expected behavior?
Is this password being auto-filled from the password manager? If so then it seems like more-or-less the expected behaviour. As a data point, I see the same behaviour on Github's "change password" screen: the "old password" field is auto-filled by the password manager. As a user I feel like I'd be more upset if the password-manager *didn't* auto-fill this field. I'm going to WONTFIX this as behaving as expected, but... > IMHO this is a real privacy issue. Please say more about your concerns here and I'll be happy to re-consider.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
After further testing Old password is remembered only if I choose to remember it when I first sign in. I would only expect to remember it on the 'Sign in' form after I disconnect and sign in again. I don't know how exactly other websites handle this matter but I am sure I saw another example with Old password that did not save the password like we do and I was required to write it manually. From my point of view, I see the 'Old password' field as an extra security step since you have to know your password to change it, or use the 'Forgot password?' if you don't. Let's say that I leave my FF opened and I'm logged in to my account, it's easy for someone with access to my pc to change the password or delete the account since no confirmation email for either change of password or delete is sent, only a notice email that something has changed on your account.
> Let's say that I leave my FF opened and I'm logged in to my account, > it's easy for someone with access to my pc to change the password Preventing auto-fill on the form would not do much to avoid this - Firefox has the password saved in the password manager, if someone really wants to change your account password, they can go into the password manager to retrieve it. I'm cc'ing our Product Manager Alex for a second opinion, but IMHO we need to let the password manager do its job in this case. Alex, thoughts? > you have to know your password to change it As a data point, I actually *don't* know most of my passwords, they're randomly-generated and stored in Firefox's password manager.
Flags: needinfo?(rfkelly) → needinfo?(adavis)
Here is another discussion about this: Bug 1296584 We didn't feel the explanation given in the Chromium FAQ was totally logical (Bug 1296584 Comment 4) however :bogdans_maris just presented us with another user flow that we hadn't considered. Is it any different from having LastPass auto-fill? How would it impact a security feature like this? https://waffle.io/mozilla/fxa-features/cards/57d0a75e0ef1b02102fdf4dc That being said, I will link to this bug in that feature card so we can revisit the topic when we start work on that feature.
I think we have two options: either the current behaviour, or refusing to save the Firefox Accounts password at all, per Bug 1296584. Saving the password but only auto-filling it some of the time doesn't make a lot of sense to me, but I could be convinced by prior art on other large identity providers.
You need to log in before you can comment on or make changes to this bug.