Closed Bug 1353035 Opened 7 years ago Closed 5 years ago

Mozilla Firefox ignores Autocomplete=OFF when incorrect username/password combination is submitted in the login fields

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 558178

People

(Reporter: roshanthomas, Unassigned)

References

Details

(Whiteboard: [sec-insecure-third-party-site-reviewed])

Attachments

(1 file)

firefox.png
10.45 KB, image/png
Details
Attached image firefox.png 
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce:

1. Open a web application in which the login form with Autocomplete set to OFF.
2. Enter Valid credentials. The application logs the user in and the browser doesn't prompt for saving password. 
3. Enter invalid credentials. The application responds with an immediate error response. The browser prompt for saving the password.


Actual results:

When the immediate response for a login request is not a redirect response, Firefox ignores Autocomplete=OFF directive and offers to save the password.

Login Form:

<form name="Login" action="login.aspx" method="post" autocomplete="off">
						<table cellpadding="0" cellspacing="0" valign="top"><tr><td rowspan="6" align="left"><img src="images/ipm_login_left.gif" /></td>
							<td valign="top" colspan="2"><span style="font-family: Arial; font-size: 9pt">Please sign in below if you're already registered with <br />
								Test Test Test</span></td></tr>
							<tr><td colspan="2" height="21px"></td><td></td></tr>
						<tr><td><span style="font-family: Arial; font-size: 9pt; background-color: #FFFFCC">Test ID:;</span></td>
						<td><INPUT name="UserID" height="22" style="width:150" MAXLENGTH="8" VALUE=""></INPUT></td></tr>
						<tr><td><span style="font-family: Arial; font-size: 9pt; background-color: #FFFFCC">Test Password:</span></td>
						<td><INPUT TYPE='password' name="Password" height = '22' style='width:150' MAXLENGTH='10'></INPUT></td></tr>
						<tr><td></td><td><span style="font-family: Arial; font-size: 9pt">&#160;</span></td></tr>
						<tr><td></td>
						<td><INPUT name="B1" type="image" value="Logon" src="images/ipm_logon.gif" ONMOUSEOVER="this.src='images/ipm_logon_over.gif'"
							ONMOUSEOUT="this.src='images/ipm_logon.gif'" Onclick="return Login_onSubmit();"></INPUT>
							<span style="width: 29px"></span>
							<INPUT name="B2" type="image" src="images/ipm_reset.gif" ONMOUSEOVER="this.src='images/ipm_reset_over.gif'"
							ONMOUSEOUT="this.src='images/ipm_reset.gif'" value="Reset" Onclick="return Login_onReset();"></INPUT>
							<INPUT TYPE='hidden' NAME='actn' VALUE='validate'></INPUT></td></tr>



Expected results:

The browser shouldn't have prompted to save the password irrespective of the server response.
Moving to password manager component for review, the bug itself is not a security bug.
Group: firefox-core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Whiteboard: [sec-insecure-third-party-site-reviewed]
We intentionally ignore autocomplete=off for password forms. We believe giving users the option to save their passwords will result in better security than if users use the same simple password on all sites because otherwise they can't remember them. See bug 956906.

Firefox has no idea whether a password is valid or not, especially if the site returns an OK (200) response. The real issue here, IMHO, is that you were NOT prompted to save the valid password. I assume you hadn't already saved it (because it won't prompt if it already has saved a match) so we might want to look for other reasons.

> Expected results:
> The browser shouldn't have prompted to save the password irrespective of the server response.

You will find that the browser world disagrees with you; it's not just Firefox that ignores autocomplete=OFF in password fields.
Hi Dan,

You are right. The browser didn't prompt me to save the valid password. I didn't have any credentials saved for the site either. The only difference I could see between the valid and invalid login request was in the response code. I used the same application in chrome as well and it doesn't prompt for both valid/invalid login requests.
reference for comment 2: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

Wonder why Chrome doesn't save passwords on this form, they usually do. What if you remove the autocomplete attribute, do the results change in Firefox or Chrome?
Mozilla bugmasters, I believe you should reassess your position to intentionally ignore autocomplete=off, because this position is contrary to the intentions of web developers!  There are hundreds of developers who have stated their grievances with this position:

1.) https://bugs.chromium.org/p/chromium/issues/detail?id=468153 
2.) https://bugs.chromium.org/p/chromium/issues/detail?id=587466 
3.) https://stackoverflow.com/questions/12374442/chrome-browser-ignoring-autocomplete-off 

Most of the solutions to developers' problems involve some kind of hack or telling their user base to disable autocomplete entirely(how's that for "better security"?).

Additionally, I think you have mistakenly decided that this is not a security concern.  I use a web application on which I am an administrator and have my credentials saved by the password manager in Firefox.  However, when I setup or edit a user on our web application, Firefox always auto-fills my administrator credentials into the user's password fields even though the <input> field has autocomplete=off specified.  If someone wasn't paying attention to the auto-filled fields they could save their own credentials to someone else's account.  And if the web application allowed other users to view their own password, this could result in that user receiving the credentials of an administrator!  This is security concern!

However, when I setup or edit a user on our web application, Firefox always auto-fills my administrator credentials

I'm also having the same issue.
Firefox seems to only autofill the first password field it finds.
So I have found three solutions:
1 ) don't use password field, use simple text field. It's not really a solution.
2 ) use password field, add a confirmation field. The confirmation field will be not be filled automatically. When submitting the form, make sure both fields have the same value.
3 ) Put a dummy password field somewhere and hide it with css, with display: none. The dummy field will be filled, your important field will not be. Watchout when doing this, make sure the data of this dummy field is not sent in the request (you don't the administrator password to be sent over for no reason).

I'm going to close this bug since it's covered by multiple others e.g. bug 558178 and bug 1287202.

(In reply to info from comment #6)

However, when I setup or edit a user on our web application, Firefox always auto-fills my administrator credentials

I'm also having the same issue.
Firefox seems to only autofill the first password field it finds.
So I have found three solutions:
1 ) don't use password field, use simple text field. It's not really a solution.
2 ) use password field, add a confirmation field. The confirmation field will be not be filled automatically. When submitting the form, make sure both fields have the same value.
3 ) Put a dummy password field somewhere and hide it with css, with display: none. The dummy field will be filled, your important field will not be. Watchout when doing this, make sure the data of this dummy field is not sent in the request (you don't the administrator password to be sent over for no reason).

The correct solution is to use autocomplete="new-password" in supporting browsers. See bug 1119063.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

(In reply to valadezpm from comment #5)

Mozilla bugmasters, I believe you should reassess your position to
intentionally ignore autocomplete=off, because this position is contrary to
the intentions of web developers! There are hundreds of developers who have
stated their grievances with this position:

1.) https://bugs.chromium.org/p/chromium/issues/detail?id=468153
2.) https://bugs.chromium.org/p/chromium/issues/detail?id=587466
3.)
https://stackoverflow.com/questions/12374442/chrome-browser-ignoring-
autocomplete-off

Most of the solutions to developers' problems involve some kind of hack or
telling their user base to disable autocomplete entirely(how's that for
"better security"?).

Additionally, I think you have mistakenly decided that this is not a
security concern. I use a web application on which I am an administrator
and have my credentials saved by the password manager in Firefox. However,
when I setup or edit a user on our web application, Firefox always
auto-fills my administrator credentials into the user's password fields even
though the <input> field has autocomplete=off specified. If someone wasn't
paying attention to the auto-filled fields they could save their own
credentials to someone else's account. And if the web application allowed
other users to view their own password, this could result in that user
receiving the credentials of an administrator! This is security concern!

I came up to this issue, and I after reading this thread I completely disagree with anyone that wants to fill in their own users password. I think THAT is a security concern. I think that the administrator should in no case possible change himself the password of a user, I think it is better security wise to send an email with a password change link.

Duplicate of this bug: 1827843
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: