Closed Bug 1538385 Opened 9 months ago Closed 7 months ago

Password Autofill does not correctly filter entries in Reference Browser or Fenix

Categories

(GeckoView :: General, task, P1)

Unspecified
Android

Tracking

(firefox66 wontfix, firefox67 wontfix, firefox68 affected, firefox69 affected)

RESOLVED INVALID
Tracking Status
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- affected
firefox69 --- affected

People

(Reporter: callahad, Assigned: st3fan)

References

Details

(Whiteboard: [geckoview:fenix:m7])

GeckoView-based browsers are not correctly filtering auto-fill logins to the current page.

I'm using Bitwarden, but Dave Miller reported seeing the same issue with 1Password on the Reference Browser mailing list: https://groups.google.com/d/msg/mozilla-reference-browser/81dyP4JzeCo/25HF6AE9CAAJ

Steps to Reproduce:

  1. Visit a sign-in page
  2. Focus the password field
  3. Tap "Auto-fill with Bitwarden" prompt provided by Android

Expected Behavior:

  • The URL of the current page is passed to Bitwarden, showing me only relevant logins.

Actual Results:

  • The Android package name is passed to Bitwarden, causing it to filter my vault on org.mozilla.fenix or org.mozilla.reference.browser and thus not show any relevant logins.

Chrome and Brave both exhibit the expected behavior, while Edge fails in the same manner, filtering on com.microsoft.emmx.

Summary: Password Autofill does correctly filter entries in Reference Browser or Fenix → Password Autofill does not correctly filter entries in Reference Browser or Fenix

(In reply to Dan Callahan [:callahad] from comment #0)

GeckoView-based browsers are not correctly filtering auto-fill logins to the current page.

I'm using Bitwarden, but Dave Miller reported seeing the same issue with 1Password on the Reference Browser mailing list: https://groups.google.com/d/msg/mozilla-reference-browser/81dyP4JzeCo/25HF6AE9CAAJ

Bitwarden has safe list to detect webdomain (https://github.com/bitwarden/mobile/blob/b0cabbbfc249ad306ec80772a21088738ace579e/src/Android/Autofill/Parser.cs#L96 and https://github.com/bitwarden/mobile/blob/05f6d6d1561563fd992f001af3bd54182eed8b7d/src/Android/Autofill/AutofillHelpers.cs#L27). So do you file a bug to Bitwarden for reference browser?

Flags: needinfo?(dan.callahan)

Wow, that may be an issue with Bitwarden!

I'm surprised because:

  1. Dave described 1Password doing the same thing
  2. Edge also fails, despite being in Bitwarden's whitelist

...but Lockbox does work correctly, so it must be an upstream issue, right?

I'll report with Bitwarden and see if we can get that fixed.

Flags: needinfo?(dan.callahan)

Filed https://github.com/bitwarden/mobile/issues/477 to get Fenix, Reference Browser, and Rocket whitelisted by Bitwarden.

Priority: -- → P1
Whiteboard: [geckoview:fenix:m4]

An upstream fix has landed in Bitwarden; we had to get our package name whitelisted in their code.

I'm not sure how common that practice is, so we should verify that autofill works correctly in other major password managers, at least:

  • 1Password
  • LastPass
  • Dashlane

I've personally verified that we're good to go in:

  • Lockbox
  • Bitwarden

I'll check the others later in the week, once I'm back from PTO.

...I had a long train ride. Here's where we stand:

Password Manager Status Notes
Lockbox GOOD
Bitwarden GOOD Minor issues on Android 7, tracking at https://github.com/bitwarden/mobile/issues/477
Dashlane OKAY Works correctly, but warns about "unknown app" when entries are selected
LastPass FAIL Filters incorrectly
Enpass FAIL Filters incorrectly
KeePass DX FAIL Filters incorrectly
1Password FAIL Filters incorrectly, and warns that "1Password can't verify that Fenix should have access to your login" when entries are selected

1Password is especially bad: accepting the warning silently modifies the user's keychain to associate the password with Fenix itself. From then on, that login is presented as an autofill option on every website, increasing the risks of phishing that password managers normally mitigate.

It seems like resolving this will require outreach to each vendor; I don't think we can do anything to fix this on our end.

67=wontfix. Fenix MVP will use GeckoView 68, so we don't need to uplift this fix to 67 Beta.

Is the remaining work here devrel or GV? :)

Flags: needinfo?(dan.callahan)

I was hoping to handle this, but I'm going to have to turn it back over to folks on the GV side.

Flags: needinfo?(dan.callahan)
See Also: → 1538458

Bitwarden added Fenix, RB, and Rocket to its autofill whitelist on 2019-03-29:

https://github.com/bitwarden/mobile/commit/6088cfe2669d692d60175388aaf59933e07c9be8#diff-743a249a3bb6eca734660644492de094

But the most recent Bitwarden release is version 1.22.0 from 2019-02-04. We should retest this bug after Bitwarden releases a new version:

https://github.com/bitwarden/mobile/releases

(In reply to Dan Callahan [:callahad] from comment #5)

Password Manager Status Notes
Dashlane OKAY Works correctly, but warns about "unknown app" when entries are selected
LastPass FAIL Filters incorrectly
Enpass FAIL Filters incorrectly
KeePass DX FAIL Filters incorrectly
1Password FAIL Filters incorrectly, and warns that "1Password can't verify that Fenix should have access to your login" when entries are selected

It seems like resolving this will require outreach to each vendor; I don't think we can do anything to fix this on our end.

I can reach out to Dashlane, LastPass, Enpass, KeepPass, and 1Password.

Assignee: nobody → cpeterson
Type: defect → task
OS: All → Android
Whiteboard: [geckoview:fenix:m4] → [geckoview:fenix:m5]

Reassigning this bug to Stefan because he says he is already talking with Dashlane, LastPass, Enpass, KeepPass, and 1Password about whitelisting Fenix in their password managers.

Assignee: cpeterson → sarentz

I'm closing this bug because this is not a GV bug. Each app that uses GV will need to get itself whitelisted by the password manager vendors.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → INVALID
Whiteboard: [geckoview:fenix:m5] → [geckoview:fenix:m7]
You need to log in before you can comment on or make changes to this bug.