Closed Bug 1587727 Opened 6 years ago Closed 6 years ago

The password credentials are saved and are visible for another user even if the "Don't save" button was selected

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

Product:
Cloud Services
Component:
Server: Firefox Accounts
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox70 wontfix, firefox71 wontfix)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox70 --- wontfix
firefox71 --- wontfix

People

(Reporter: Ovidiu, Unassigned)

Details

Affected versions

  • Tested on FF beta 70.0b13 and FF Nightly 71.0a1(2019-10-09)

Affected platforms

  • Tested on Mac OS X 10.14, Windows 10 and Ubuntu 18.04

Steps to reproduce

  1. Open the browser with a new profile and log in to sync account with a valid email address and click "Continue" button. For example, I used fftestemailaddressforfxaend2endtesting@yahoo.com
  2. From the "Create a Firefox Account" page click on the "Change email".
  3. Enter a valid email address that will be used to create the Sync account --- DIFFERENT from the one used in steps 1.
  4. Enter a valid password, enter age > 21, click "Create account".
  5. Click on the "Don't Save" button from the login door hanger.
  6. Click on the "Enable Sync" button.
  7. In a new tab open the email and copy the verification account(Don't save your password).
  8. Enter your verification code and click "Verify" button.
  9. Disconnect from your sync account. (FxA button -> Sync Settings -> Disconnect… -> Just Disconnect).
  10. Focus the tab where the "Create a Firefox Account" was opened.
  11. Merge Warning is displayed, click on continue.

Expected result

  • You are redirected to the "Create a Firefox Account" page to create a new account.

Actual result

  • You are redirected to the "Create a Firefox Account" page, please see that the PASSWORD FIELDS ARE ALREADY POPULATED with the password from the account used in step 3 and the email address is the one used in step 1. Also, if you go to about:login - no password is saved there.

This occurs because of form prefill. We save the value of the email/password in memory within the app to improve the user experience when users transition from screen->screen.

This is more or less a dup of https://github.com/mozilla-mobile/firefox-tv/issues/2640 and https://github.com/mozilla/fxa/issues/2220

Shane, the mentioned issues seem to be similar to the described one, expect the fact that I don't see in any of them the step where the user doesn't want to save the credentials, see step 5 from the description.

(In reply to ovidiu boca[:Ovidiu] from comment #2)

Shane, the mentioned issues seem to be similar to the described one, expect the fact that I don't see in any of them the step where the user doesn't want to save the credentials, see step 5 from the description.

The credentials are not being filled by Firefox, rather they are being filled by FxA, from internal logic.

This is working as designed. I'm going to wontfix this, but I'll CC adavis and rfeeley in case they want to change anything.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.