Open Bug 1540727 Opened 1 year ago Updated 2 months ago

When a second set of credentials is saved by logging into google, the first's set's password is saved

Categories

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Desktop
All
defect

Tracking

()

Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fix-optional

People

(Reporter: danibodea, Unassigned)

References

(Depends on 1 open bug, )

Details

(Keywords: regression)

Attachments

(2 files)

Note

  • When logging into Google in 2 different accounts consecutively and saving the credentials, the second set will steal the first set's password.

Affected versions

  • Nightly v68.0a1

Affected platforms

  • Windows 10
  • Mac OS 10.13.6
  • Ubuntu 16.04

Steps to reproduce

  1. Open Firefox with a new profile.
  2. Reach: https://www.google.com/
  3. Click on the "Sign in" button.
  4. Input any email for of a string and tap ENTER.
  5. Input any string as a password and tab ENTER.
    At this point: The pop-up to save the credential set is displayed; Confirm it.
  6. Click on the email to go back and log with another email.
  7. Input another email form and tap ENTER.

Expected result

  • The pop-up to save the credentials should only be displayed after the password is inputted.

Actual result

  • The pop-up to save the second set of credentials is already displayed, before even inputting the second password. The password string is stolen from the first saved credentials set.

Steps to reproduce PART2
8. Click "Save" to save the second credential set (with the wrong password).
9. Input any string as the second password and tap ENTER.
10. The pop-up to update the second set of credential with the correct password is displayed.

Regression range

  • This appears to be a recent regression because it does not occur on the Release version v66.0.2;
  • The mozregression gave out the "Unable do bisect" error, but the mozregression log should be enough to determine the regressor. The log is attached.
  • This issue also occurs in the case of logging in to the Yahoo.com:
    https://login.yahoo.com/config/login?.src=fpctx&.intl=ro&.lang=ro-RO&.done=https%3A%2F%2Fro.yahoo.com
    and most probably to any site that has the usermane/email field and the password field on different pages.

https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=88033151&tochange=1d783ed6

I think is is a side-effect of bug 1287202 that we'll probably have to live with as we have no idea that the password isn't the matching one. This also seems like an edge case.

Blocks: 1287202
Flags: needinfo?(MattN+bmo)
Summary: When a second set of credentials is saved by logging into google, the first's set's password is stolen → When a second set of credentials is saved by logging into google, the first's set's password is saved
Depends on: 558178
Flags: needinfo?(MattN+bmo)
Priority: -- → P3
Duplicate of this bug: 1541440

Updating the affected flags. Reproducible on latest Beta 70.0b8 (64-bit) and Nightly71 on Windows 10 x64.

Note that this is reproducible only when there is 1 set of credentials saved.
As per the spec, when there is only 1 set of credentials saved for a site, the fields will be pre-filled with the info.

If there are multiple credentials saved for google.com, the password won't be filled on the second page due to the autofill dropdown which will appear instantly and allow the user to select a password.

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
See Also: → 1584185

Matt, is this something you intend to address in the future?

Flags: needinfo?(MattN+bmo)

Possibly, depending on the feedback we get in Beta and Release

Flags: needinfo?(MattN+bmo)

(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #6)

Possibly, depending on the feedback we get in Beta and Release

Did you get the feedback your expected over the last month? Should we care about it for 71? Thanks

Flags: needinfo?(MattN+bmo)

I haven't seen any user complaints about this so I don't think it's a pressing issue.

Flags: needinfo?(MattN+bmo)
Attached video Beta73.0b8

I am still concerned about this and will update the affected flags. Attached the current behavior.

You need to log in before you can comment on or make changes to this bug.