CAPTCHA is broken in Firefox for WIDE VARIETY OF SITES in Windows 64 Desktop Version 54.0.1 and earlier versions (last 6 months at least) running in https

RESOLVED INCOMPLETE

Status

()

Firefox
Untriaged
RESOLVED INCOMPLETE
3 months ago
3 months ago

People

(Reporter: Jim Adgate, Unassigned)

Tracking

54 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 months ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

Captcha is broken in Firefox, either because the CAPTCHA is not displayed when registering for new accounts, OR when displayed it does not allow for the input of the displayed characters in a manner that the CAPTCHA engine finds acceptable - it prompts for the proper input over and over again.  CAPTCHA for the impacted pages all work in Chrome or Internet Explorer.  This is an issue for the 64 bit Windows version (desktop PC).  I'm currently using 54.0.1 but it has been an issue for months now; at least the last couple of versions.   It happens in a WIDE VARIETY OF SITES, BUT ESPECIALLY at any financial services website that requires secured registration.


Actual results:

Submission of requested inputs (characters) fails with an error message that required characters WERE NOT submitted. This happens 100% of the time.  When CAPTCHA exists and is not displayed it is impossible to troubleshoot the issue - the only way you know other than cryptic browser errors is to go to IE or Chrome where it is displayed properly (and works as intended)


Expected results:

The CAPTCHA should display and the right inputs SHOULD satisfy the CAPTCHA or RECAPTHA engine.  At first I thought this was a NoScript issue, but it happens even if NoScript is disabled, although NoScript makes troubleshooting it more problematic when it won't display the CAPTCHA

Comment 1

3 months ago
Not a security issue that needs to stay hidden.
Group: firefox-core-security

Comment 2

3 months ago
Unfortunately this report is not very useful because it does not describe the problem well. If you have time and can still reproduce the problem, please read https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines and add a more useful description to this report by providing clear steps to reproduce.
Flags: needinfo?(jadgate)

Comment 3

3 months ago
Also, please test without add-ons and with a clear and empty profile and report back.
(Reporter)

Comment 4

3 months ago
Ok, this is really, really, really, really aggravating.

I’m not a f-ing idiot.  I did disable my extensions like NoScript.  I also tested the same sites in other browsers Chrome and IE which handle CAPTCHA such that it actually works as intended, gee what a concept.

CAPTCHA is either not displaying or DOES NOT WORK.  If you input the characters displayed, the page will respond that the incorrect characters were entered. Testing the site in Chrome and IE shows that CAPTCHA works for them as intended.  Expected inputs as displayed by CAPTCHA result in successful completion of CAPTCHA requirements and it allows you to proceed.

As for what sites, just go to ANY site that uses CAPTCHA for new account registration or password re-sets – trust me you won’t have to test many – the problem is EASILY reproducible.

This is further complicated by the latest rollout of 55.0.2 Firefox which is a giant clusterf-k as far as I can tell – it has broken Lastpass and God knows what else - probably will f-ck up NoScript.  So YOU have your work cut out for you.

To reproduce: 

Go to ANY site that uses CAPTCHA to register new accounts or for password re-sets.  Attempt to register new account and it will fail with a cryptic error that input (CAPTCHA) was not correct and force you to do it again OR nothing will happen when you submit new account information.  The other bug is that CAPTCHA will not display at all. Then go to same site in IE and Chrome and CAPTCHA will display registration will succeed.
Flags: needinfo?(jadgate)

Comment 5

3 months ago
(In reply to Jim Adgate from comment #4)
> Ok, this is really, really, really, really aggravating.

I understand this is frustrating. It's just as frustrating for us because we can't reproduce the issue.

So, logically, something must be different between our setup and yours, like what sites we're testing or what cookies we've got set or whether we're behind a proxy or ... there's a lot of options here. This is why you get asked to narrow down what's causing the problem. It's a lot easier to narrow that down on your side than on ours, because we can't reproduce the issue at all, and trying 1000 different variations of it takes a lot of time (and even then might still not "work" in that we still won't be able to reproduce), whereas testing maybe 5 different approaches on your machine will *actually narrow down* what is and isn't related to the issue.

> As for what sites, just go to ANY site that uses CAPTCHA for new account
> registration or password re-sets – trust me you won’t have to test many –
> the problem is EASILY reproducible.

I can't find any such sites (literally, I went on google and looked, I registered for an additional gmail account to see, I tried other websites, no luck). To start this off, can you at least provide a link to a website where you have this problem? Also, if you follow the steps here ( https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles ) to create a separate test Firefox profile, does it reproduce there with the same site?

To be clear, the fact that it's broken on your main profile is quite likely still a Firefox issue - but we'll have to narrow it down so we can reproduce it, before we can address it.
Flags: needinfo?(jadgate)
(Reporter)

Comment 6

3 months ago
Start with the NoScript account registration site (I know, it's quite ironic that a site that is supposed to make web browsing more secure has CAPTCHA that doesn't work)

https://forums.informaction.com/ucp.php?mode=register

I did point this out to them months ago and their response was: "go away we are not going to fix this".  I guess having a non-functional locked down site is more important that something a non-technical end user can, hmmmm, actually USE.

Try your own account registration for Bugzilla (CAPTCHA is broken there :)

I think it's unacceptable that it breaks CAPTCHA - this should be escalated and given priority.  If I can't even register to notify you of bugs, that's a show stopper, in my NOT SO HUMBLE opinion.  This breaks one of the cardinal rules of security - availability.  If I can't reach you to let you know a problem exists, then your security is broken from where I stand.
Flags: needinfo?(jadgate)

Comment 7

3 months ago
(In reply to Jim Adgate from comment #6)
> Start with the NoScript account registration site (I know, it's quite ironic
> that a site that is supposed to make web browsing more secure has CAPTCHA
> that doesn't work)
> 
> https://forums.informaction.com/ucp.php?mode=register

This one works for me.

> Try your own account registration for Bugzilla (CAPTCHA is broken there :)

There's no captcha for me. I just get an email sent to my email address. Clicking that link, on the "confirm your registration" page that lets me set a password, I still don't see a captcha. Where do you see a captcha?

> I think it's unacceptable that it breaks CAPTCHA

Again, I understand this is frustrating, but it's not broken for everyone. We need to figure out why it's broken for you, and we can go from there. Did you try what I suggested in comment #5 and test a fresh Firefox profile? How did that go?
Flags: needinfo?(jadgate)

Comment 8

3 months ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

Hello,

I have tested your issue on latest Firefox release (55.0.2) and latest Nightly (57.0a1, Build ID: 20170823100553) and could not reproduce it. I've tried to reproduce the issue on several websites, but the CAPTCHA was displayed and worked correctly on every website.

Can you please use a new clean Firefox profile to eliminate custom settings as a possible cause (https://goo.gl/z6JMnx), as Gijs suggested in comment 5 and comment 7?

Thanks.
Comment hidden (abuse-reviewed)

Comment 10

3 months ago
Without more details about why/when/how this is broken that enable us to reproduce, unfortunately there is nothing we can do.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.