Closed Bug 1582534 Opened 5 years ago Closed 5 years ago

Password overwritten with space characters after editing a login in about:logins

Categories

(Firefox :: about:logins, defect, P1)

Product:
Firefox
Component:
about:logins
Version:
70 Branch
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- unaffected
firefox70 + verified
firefox71 --- verified

People

(Reporter: ddurst, Assigned: MattN)

References

(Regression)

Details

(Keywords: dataloss, regression, Whiteboard: [passwords:management] [skyline])

Attachments

(1 file)

Bug 1582534 - about:logins: Always set the password value with .value so it's not easily visible in the Inspector. r=jaws
47 bytes, text/x-phabricator-request
Details | Review

I have 4 saved logins. Reveal password (for two of them) shows only blanks, no matter what mode I'm in. If I edit and add characters to one of those "blank" passwords, then... then I still see blanks for the characters I did not change, but I do see the characters I do change. But if I add a new login, this doesn't happen.

In addition, if I try to use the (unedited) other blank password when logging in, inspection shows that the value being attempted is actually just blanks. That login was

Created: August 29, 2019
Last modified: September 16, 2019
Last used: September 13, 2019

If I delete the offending login and re-save it, it appears fine in about:logins thereafter.

Status: NEW → ASSIGNED
status-firefox70: --- → affected
status-firefox71: --- → affected
Priority: -- → P1

I will look into whether we can use the .value setter instead of .defaultValue in some cases to avoid the @value attribute disclosing the password. I believe we don't use .value because it causes the field to be "dirty" for form validation but that would only be a problem for the new login form I think.

No longer blocks: 1579512
Keywords: dataloss, regression
Regressed by: 1579512

[Tracking Requested - why for this release]: dataloss in the new about:logins

I think the more accurate/likely description would be that editing of saved login overwrote your password with spaces.

tracking-firefox70: --- → ?
OS: Unspecified → All
Hardware: Unspecified → Desktop
Summary: about:logins shows blanks for saved password, and that's exactly what it fills when used to login -- but not for all saved logins → Password overwritten with space characters after editing a login in about:logins

The previous approach of using space characters would sometimes end up causing spaces to get saved in storage and cause data loss.

Tracking since we may want to uplift to beta.

tracking-firefox70: ?+
Pushed by mozilla@noorenberghe.ca: https://hg.mozilla.org/integration/autoland/rev/8148aceb475d about:logins: Always set the password value with .value so it's not easily visible in the Inspector. r=jaws

https://hg.mozilla.org/mozilla-central/rev/8148aceb475d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

I have verified this issue on the latest Nightly 71.0a1 (Build ID 20190923215658) build and the Firefox Beta 70.0b9 (Build ID: 20190923154733) (64-bit) on Windows 7, MacOS 10.14 and Arch 4.14.

  • The "value" attribute and the password is no longer displayed using inspector tool with or without a master password set in the following situations:
    • Creating a new login.
    • Editing a saved login.
    • Revealing the password.
    • Inspecting the password of a login item.
Status: RESOLVED → VERIFIED
status-firefox70: fixedverified
status-firefox71: fixedverified
Component: Password Manager → about:logins
Product: Toolkit → Firefox
Target Milestone: mozilla71 → Firefox 71
Version: unspecified → 70 Branch
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: