Open Bug 1584185 Opened 5 months ago Updated 4 months ago

Password auto-filled with the wrong password (generated password)

Categories

(Toolkit :: Password Manager, defect, P2)

defect

Tracking

()

Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- disabled
firefox70 --- wontfix
firefox71 --- wontfix

People

(Reporter: aflorinescu, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [passwords:generation] [skyline])

Attachments

(1 file)

[Environment:]

71.0a1 20190926094200
70.0b9 20190923154733

[Description:]

This scenario is only achievable if you access a change password form that has current password field, a generated_password already generated and only ONE valid set of credentials saved excluding the auto-saved entry by the generate password one..

[Steps:]
  1. Open Fx with a new profile.
  2. Open imgur.com/signin and click on the password field -> generate (reproducible with other change password forms aswell) - do not interact with the autosaved password or door-hanger.
  3. Restart browser.
  4. Access again the login form and login into your imgur.com account -> save user/password.
  5. Open Settings/Passwords &Email options (imgur)
  6. Inspect password, make it text type so you can read it.
[Actual Result:]

The password auto-filled in the password field is the generated password and not the user password as expected.
logs: https://pastebin.com/qmfSdwjH

[Expected Result:]

The password filled into the password should be the user password, or we shouldn't autofill at all in this particular case.

Attached file Pass_only.html

Reduced steps:

  1. Load comment 1 form.
  2. input a password - press Login -> use door-hanger to add an username and save the entry.
  3. Reload form / Right click / Fill /Generate Secure password.
  4. Refresh form.

Actual Result:
The generated auto-saved password is auto-filled.

Matt, do you think this is edge case enough to not block? Assuming that is why you marked it P2.

Flags: needinfo?(MattN+bmo)

To sum-up, this particular bug might be a show-stopper for some change password forms - like the ones that do not throw proper error messages and an annoyance in the cases in which the password form does have proper error messages. Further more, even though it's not necessarily a typical edge case, it needs a few requirements to get triggered. (see also https://bugzilla.mozilla.org/show_bug.cgi?id=1570319#c0);

My understanding discussing this bug with Matt was that this might be tricky to fix without breaking existing password only functionality and that further thought is needed on it. Strictly from the QA perspective, we'd like to have this bug fixed for Fx70, but wouldn't force a risky fix.

I'd guess the above should explain why this bug is P2/normal at this moment.

(In reply to Liz Henry (:lizzard) from comment #3)

Matt, do you think this is edge case enough to not block? Assuming that is why you marked it P2.

Yeah, that’s correct. We know that the initial version of password generation has flaws due to the amount of scope cut and that was accepted by product/UX. We don’t really have time to add new scope now and it would be risky to change it now. The user has a workaround by clearing the password field and seeing both suggestions in autocomplete or by visiting about:logins.

Flags: needinfo?(MattN+bmo)
You need to log in before you can comment on or make changes to this bug.