Open Bug 1600397 Opened 1 year ago Updated 3 months ago

Firefox prompts twice to save a password: once with the password and once with the munged client-side hash/encrypted value

Categories

(Toolkit :: Password Manager, defect, P2)

68 Branch
defect

Tracking

()

Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox77 --- wontfix
firefox78 --- wontfix
firefox79 --- fix-optional

People

(Reporter: moz, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug, Regression)

Details

(Keywords: regression, Whiteboard: [passwords:capture-UI])

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

  1. Visit a specific website
  2. Enter my login data (username + password) and log in
  3. When asked, confirm saving login data (you sometimes get asked twice. If you get, confirm twice.)
  4. Log out
  5. Log in again using the stored username/password

Actual results:

At 2., login works fine.
At 3., it saves an incorrect password. If you open the password manager (chrome://passwordmgr/content/passwordManager.xul) and show the password for this site, it shows something very long beginning with "rsa:BzP/" and it has 349 chars.
At 5. I get an error message dialog "Message too long for RSA" and cannot login.

If you look into

Expected results:

At 3., save password without breaking it.
At 5., log in just fine.

Additional info:
I have some experience in software development and debugging. If you tell me what to do, I may be able to help debugging.

It seems like other websites are affected too. There is a report on this site: https://www.romantica.chat/faq/bekannte-probleme/firefox-passworthandling/

You can reproduce this issue on that website by trying to log in with these credentials:
E-Mail-Address: name@example.com
Password: abcdef

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Thank you for the report. I believe this is a regression from the formless capture

(In reply to Christian Stadelmann from comment #0)

When asked, confirm saving login data (you sometimes get asked twice. If you get, confirm twice.)

I believe the double-prompt is the problem… the first prompt would have the correct password but it gets replaced by the 2nd one. I think we would need to address this with a UI like Chrome has recently added with a dropdown for the password: https://cl.ly/b687986d0924

At 3., it saves an incorrect password. If you open the password manager (chrome://passwordmgr/content/passwordManager.xul) and show the password for this site, it shows something very long beginning with "rsa:BzP/" and it has 349 chars.

The site is using a library to do client-side encryption (see handleFormSubmitRequest from https://www.romantica.chat/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryptionWithLib.min.js?1505826096).

That library should submit the required value with an <input type=hidden> or through JS, not modify the field's value.

Can you confirm that setting the about:config preference signon.formlessCapture.enabled to false fixes the issue?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(moz)
Keywords: regression
Priority: -- → P2
See Also: → 257781
Summary: Firefox updates and destroys password, gives error message "Message too long for RSA" → Firefox prompts twice to save a password: once with the password and once with the munged client-side hash/encrypted value

(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #3)

Thank you for the report. I believe this is a regression from the formless capture

(In reply to Christian Stadelmann from comment #0)

When asked, confirm saving login data (you sometimes get asked twice. If you get, confirm twice.)

I believe the double-prompt is the problem…

You are right, if I look closely I always get a double-prompt for saving the password, sometimes in a way that I first see the normal (correct) prompt with a short passphrase and then a few (milli-)seconds later the prompt gets updated with the way-too-long password.

[…]
Can you confirm that setting the about:config preference signon.formlessCapture.enabled to false fixes the issue?

Only if I restart firefox after setting that preference. In this case yes, it fixes the issue for me on two sites tested.

Flags: needinfo?(moz)

Thanks. This was caused by bug 1287202 then :(

Regressed by: 1287202

Reproduced on affected Nightly 73, Beta 72 and Release 71, marking flags accordingly.

As a note, if you check the password in the Save door-hanger, for the first 2 seconds you can see the masked "abcdef" and then it instantly gets replaced by the RSA version of it.

Duplicate of this bug: 1602993
Whiteboard: [passwords:capture-UI]
See Also: → 1583150

Lowering to P3 since we will implement a mitigation in bug 1560468.

Depends on: 1560468
Priority: P2 → P3
Blocks: 1641127
Attached video Amazon Case

Attaching recording for amazon.com

Reproduced on Windows 7 with Nightly v79.0a1 from 2020-06-09.

Reproducible on Windows 10 - Firefox Nightly 79.0a1 (2020-06-09) (32-bit)

Reproducible on Ubuntu 18.04 LTS - Firefox Nightly 79.0a1 (2020-06-10) (64-bit)

Duplicate of this bug: 1646260
Duplicate of this bug: 1645654
Priority: P3 → P2
You need to log in before you can comment on or make changes to this bug.