Password Autofill does not correctly filter entries in Reference Browser or Fenix
Categories
(GeckoView :: General, task, P1)
Tracking
(firefox66 wontfix, firefox67 wontfix, firefox68 affected, firefox69 affected)
People
(Reporter: callahad, Assigned: st3fan)
References
Details
(Whiteboard: [geckoview:fenix:m7])
GeckoView-based browsers are not correctly filtering auto-fill logins to the current page.
I'm using Bitwarden, but Dave Miller reported seeing the same issue with 1Password on the Reference Browser mailing list: https://groups.google.com/d/msg/mozilla-reference-browser/81dyP4JzeCo/25HF6AE9CAAJ
Steps to Reproduce:
- Visit a sign-in page
- Focus the password field
- Tap "Auto-fill with Bitwarden" prompt provided by Android
Expected Behavior:
- The URL of the current page is passed to Bitwarden, showing me only relevant logins.
Actual Results:
- The Android package name is passed to Bitwarden, causing it to filter my vault on
org.mozilla.fenixororg.mozilla.reference.browserand thus not show any relevant logins.
Chrome and Brave both exhibit the expected behavior, while Edge fails in the same manner, filtering on com.microsoft.emmx.
|
||
Comment 1•9 months ago
|
||
(In reply to Dan Callahan [:callahad] from comment #0)
GeckoView-based browsers are not correctly filtering auto-fill logins to the current page.
I'm using Bitwarden, but Dave Miller reported seeing the same issue with 1Password on the Reference Browser mailing list: https://groups.google.com/d/msg/mozilla-reference-browser/81dyP4JzeCo/25HF6AE9CAAJ
Bitwarden has safe list to detect webdomain (https://github.com/bitwarden/mobile/blob/b0cabbbfc249ad306ec80772a21088738ace579e/src/Android/Autofill/Parser.cs#L96 and https://github.com/bitwarden/mobile/blob/05f6d6d1561563fd992f001af3bd54182eed8b7d/src/Android/Autofill/AutofillHelpers.cs#L27). So do you file a bug to Bitwarden for reference browser?
|
Reporter | |
Comment 2•9 months ago
|
||
Wow, that may be an issue with Bitwarden!
I'm surprised because:
- Dave described 1Password doing the same thing
- Edge also fails, despite being in Bitwarden's whitelist
...but Lockbox does work correctly, so it must be an upstream issue, right?
I'll report with Bitwarden and see if we can get that fixed.
|
|
Reporter | |
Comment 3•9 months ago
|
||
Filed https://github.com/bitwarden/mobile/issues/477 to get Fenix, Reference Browser, and Rocket whitelisted by Bitwarden.
|
|
Reporter | |
Updated•9 months ago
|
|
||
Updated•8 months ago
|
|
|
Reporter | |
Comment 4•8 months ago
|
||
An upstream fix has landed in Bitwarden; we had to get our package name whitelisted in their code.
I'm not sure how common that practice is, so we should verify that autofill works correctly in other major password managers, at least:
- 1Password
- LastPass
- Dashlane
I've personally verified that we're good to go in:
- Lockbox
- Bitwarden
I'll check the others later in the week, once I'm back from PTO.
|
|
Reporter | |
Comment 5•8 months ago
|
||
...I had a long train ride. Here's where we stand:
| Password Manager | Status | Notes |
|---|---|---|
| Lockbox | GOOD | |
| Bitwarden | GOOD | Minor issues on Android 7, tracking at https://github.com/bitwarden/mobile/issues/477 |
| Dashlane | OKAY | Works correctly, but warns about "unknown app" when entries are selected |
| LastPass | FAIL | Filters incorrectly |
| Enpass | FAIL | Filters incorrectly |
| KeePass DX | FAIL | Filters incorrectly |
| 1Password | FAIL | Filters incorrectly, and warns that "1Password can't verify that Fenix should have access to your login" when entries are selected |
1Password is especially bad: accepting the warning silently modifies the user's keychain to associate the password with Fenix itself. From then on, that login is presented as an autofill option on every website, increasing the risks of phishing that password managers normally mitigate.
It seems like resolving this will require outreach to each vendor; I don't think we can do anything to fix this on our end.
|
|
||
Comment 6•8 months ago
|
||
67=wontfix. Fenix MVP will use GeckoView 68, so we don't need to uplift this fix to 67 Beta.
|
|
Reporter | |
Comment 8•8 months ago
|
||
I was hoping to handle this, but I'm going to have to turn it back over to folks on the GV side.
|
|
||
Comment 9•8 months ago
•
|
||
Bitwarden added Fenix, RB, and Rocket to its autofill whitelist on 2019-03-29:
But the most recent Bitwarden release is version 1.22.0 from 2019-02-04. We should retest this bug after Bitwarden releases a new version:
|
|
||
Comment 10•8 months ago
|
||
(In reply to Dan Callahan [:callahad] from comment #5)
Password Manager Status Notes Dashlane OKAY Works correctly, but warns about "unknown app" when entries are selected LastPass FAIL Filters incorrectly Enpass FAIL Filters incorrectly KeePass DX FAIL Filters incorrectly 1Password FAIL Filters incorrectly, and warns that "1Password can't verify that Fenix should have access to your login" when entries are selected It seems like resolving this will require outreach to each vendor; I don't think we can do anything to fix this on our end.
I can reach out to Dashlane, LastPass, Enpass, KeepPass, and 1Password.
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Comment 11•7 months ago
|
||
Reassigning this bug to Stefan because he says he is already talking with Dashlane, LastPass, Enpass, KeepPass, and 1Password about whitelisting Fenix in their password managers.
|
|
||
Comment 12•7 months ago
|
||
I'm closing this bug because this is not a GV bug. Each app that uses GV will need to get itself whitelisted by the password manager vendors.
Description
•