LastPass enters password in username field instead of password field

VERIFIED FIXED in Firefox 65

Status

defect
P1
normal
VERIFIED FIXED
8 months ago
4 months ago

People

(Reporter: jonalmeida, Assigned: m_kato)

Tracking

unspecified
mozilla66
Unspecified
Android
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(geckoview62 wontfix, geckoview64 wontfix, firefox62 wontfix, firefox63 wontfix, firefox64 wontfix, firefox65 verified, firefox66 verified)

Details

(Whiteboard: [geckoview:fenix:p1])

Attachments

(5 attachments)

Reporter

Description

8 months ago
See focus-android[0] for a more detailed bug report.

Steps to reproduce

    Have an account and login setup on LinkedIn saved in LastPass.
    Go to http://linkedin.com
    Click on the password field.
    Click the popup dialog that shows up from LastPass to auto-fill your password.

Expected behavior

    The username is correctly filled in from LastPass.
    The password is correctly filled in from LastPass.

Actual behavior

    Both, username and password fields are filled with the password.

Device information

    Android device: Pixel 2 (Android 9)
    Focus version: 8.0 (Build #322700813 🦎 62.0.3.20180922023437)


[0]: https://github.com/mozilla-mobile/focus-android/issues/3501#issuecomment-428346024
Jonathan can you test this again when you pick up GeckoView 63?
Flags: needinfo?(jonalmeida942)
Priority: -- → P2
We expect LastPass to be fixed in Focus (by bug 1330257) after they pick up GV 63 next week.
Reporter

Comment 3

7 months ago
David & Chris, I just tested this on Focus with GV 63 and I'm still able to reproduce the issue.

I applied this PR[0] which Focus is going to be merging next week and verified I was using GV by checking the user-agent[1].

NI cpeterson in case you want to prioritize this.

[0]: https://github.com/mozilla-mobile/focus-android/pull/3619
[1]: https://whatismybrowser.com
Flags: needinfo?(jonalmeida942) → needinfo?(cpeterson)
@ Jonathan, thanks for the testing GV 63! Do you know offhand if this problem happens in Fennec, too?

@ Jim, can you take a look at this LastPass bug next week? Entering the password in the username field would make LastPass unusable. This sounds like a bug we should to fix in GV 63 for Focus 8.0.
Assignee: nobody → nchen
Flags: needinfo?(cpeterson) → needinfo?(nchen)
OS: Unspecified → Android
Priority: P2 → P1
Does it reproduce on other sites? IMO this would be a lower priority if it's only LinkedIn.
Flags: needinfo?(nchen) → needinfo?(jonalmeida942)
Reporter

Comment 6

7 months ago
I've been able to repro this on a several websites including Google SSO.
Flags: needinfo?(jonalmeida942) → needinfo?(nchen)
Unassigning Jim. We'll need to find a new owner for this bug. This bug is probably a release blocker for testing GV 64 with Focus 8.0 prod users.
Assignee: nchen → nobody
Flags: needinfo?(nchen)
Assignee

Updated

6 months ago
Assignee: nobody → m_kato
64=fix-optional because this bug is (very!) nice-to-have but doesn't block Focus 8.0.
Assignee

Comment 9

6 months ago
I would like to get username fields etc from form or input element in form.

Since LoginManagerContent._getFormFields has "_" prefix (it means private
member) and LoginManagerCotnent.getFieldContext doesn't return elements,
I would like to add simple API for it.

Also, it doesn't have FormLikes parameter, I cannot write unit test like
getFieldContext.  Unit test will be followed by GeckoView junit.
Assignee

Comment 10

6 months ago
LastPass will fill password to all input elements which InputType is
TYPE_CALSS_TEXT and TYPE_TEXT_VARIATION_WEB_EDIT_TEXT and has no AutofillHint.
And it will fill username when InputType and AutofillHint is nothing in
<input type="text">.

Actually, current implementation of GeckoView sets InputType only for
<input type="text">, so LastPass fills password to all <input type="text">

So as workaround, we should set InputType and AutofillHint when input element
presumes username fields.

Depends on D12880
Assignee

Comment 11

6 months ago
Add autofill hint test if using Android 8+.

Depends on D12881
In anticipation of the creation of the GECKOVIEW_64_RELBRANCH next week, I am moving this bug from status-firefox64=affected to status-geckoview64=affected.
Makoto, do you have any updates on this LastPass bug? It looks like patch #2 and #3 have r+ and patch #1 needs to address some review comments?
Flags: needinfo?(m_kato)
Assignee

Comment 14

5 months ago
(In reply to Chris Peterson [:cpeterson] from comment #13)
> Makoto, do you have any updates on this LastPass bug? It looks like patch #2
> and #3 have r+ and patch #1 needs to address some review comments?

I am working part 1 fix.  I will send review soon.
Flags: needinfo?(m_kato)

Comment 15

5 months ago
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e5727b563004
Part 1. Add API to recognize username field and password field from a field in form. r=MattN
https://hg.mozilla.org/integration/mozilla-inbound/rev/78488dedd35e
Part 2. Don't set inputType to all <input type=text>. r=droeh
https://hg.mozilla.org/integration/mozilla-inbound/rev/b68c8690cc9e
Part 3. Add junit test. r=droeh
Flags: in-testsuite+

Updated

5 months ago
Product: Firefox for Android → GeckoView
Makoto, should we uplift your LastPass fix to Fennec and GV 65 Beta (or even the GV 64 relbranch used in Focus 8.0)?
Flags: needinfo?(m_kato)
Assignee

Comment 19

5 months ago
Comment on attachment 9033308 [details] [diff] [review]
rebasing for beta: Bug 1497682 - Part 1. Add API to recognize username field and password field from a field in form. r=MattN

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1330257

User impact if declined: By bug 1330257, Firefox Android (and GeckoView) supports autofill framework that is a new feature on Android 8+.   When using LastPass (a famous passoword manager) for Android, LastPass fills password to all text fields that has no password type attribute.

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: Yes

If yes, steps to reproduce: 1. Have an account and login setup on LinkedIn saved in LastPass.
2. Go to http://linkedin.com
3. Click on the password field.
4. Click the popup dialog that shows up from LastPass to auto-fill your password.

AR
Both, username and password fields are filled with the password.

ER
Don't fill password on non-password field.

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Before this fix, we set a hint to all text fields as generic text (if no number type etc).  But it causes this issue on LastPass unfortunately.

Firefox desktop (autofill JS module) has login field detection for username ans password fields.  So this fix uses this desktop's Javascript module to detect username field and password field, then we set a valid hint to autofill framework for username and password correctly.

String changes made/needed:
Flags: needinfo?(m_kato)
Attachment #9033308 - Flags: approval-mozilla-beta?
Assignee

Updated

5 months ago
Attachment #9027466 - Flags: approval-mozilla-beta?
Assignee

Updated

5 months ago
Attachment #9027468 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Comment on attachment 9033308 [details] [diff] [review]
rebasing for beta: Bug 1497682 - Part 1. Add API to recognize username field and password field from a field in form. r=MattN

[Triage Comment]
Important compat fix for LastPass users. Makes me a bit nervous, but we're still early enough in the beta cycle that we should be able to notice any regressions in time. Let's have QA give this a solid pass as well. Thanks for including an automated test. Approved for 65.0b7.
Attachment #9033308 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9027466 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9027468 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Target Milestone: Firefox 66 → mozilla66
Device:
 - Google Pixel C(tab) (Android 8.0.0)
 - Google Pixel XL (Android 9.0.0 / P)
 - Google Pixel 3 XL(Android 9.0.0 / P)
 - Samsung Galaxy Note 9 (Android 8.1.0)

Verified as fixed in the latest Beta build 65b.0b7 and the latest Nightly Build 66.0a1(07-Jan-2019).
Note that I verified the login at least 5 times for each device and it worked every time, the username and password were assigned in the right field.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Assignee

Updated

4 months ago
Duplicate of this bug: 1515436
Whiteboard: [geckoview:fenix:p1]
You need to log in before you can comment on or make changes to this bug.