Open Bug 1601375 Opened 4 years ago Updated 2 years ago

Firefox asks for master password when it shouldn't (credentials stored for unrelated subdomain)

Categories

(Toolkit :: Password Manager, defect, P3)

Product:
Toolkit
Component:
Password Manager
Version:
71 Branch
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- fix-optional

People

(Reporter: bugzilla-mozilla, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, Whiteboard: [passwords:primary-password])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

I have previously stored a HTTP basic auth password for one site, let's call it sub1.example.org, in the Firefox password safe, which is protected with a master password.

After upgrading from Firefox 70 to 71, I am now prompted to enter my master password for a HTTP POST-based login form on site sub2.example.org, which has nothing to do with the basic auth login on the other subdomain. I control both subdomains so I know that their code hasn't changed (i.e. there is certainly no sub1.example.org frame embedded into sub2.example.org or similar).

If I do enter the master password, Firefox doesn't fill in any credentials on sub2.example.org, which is expected because the basic auth credentials from sub1.example.org do of course not match the HTTP POST input fields on sub2.example.org

Actual results:

I am asked to enter my master password although there are only passwords stored for an unrelated, different subdomain.

Expected results:

No password prompt, like in Firefox 70 and earlier.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Good find. I think the problem is that we request logins from storage with subdomains and then filter out the inexact matches which is wrong in this case.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: qe-verify+
Keywords: regression
Priority: -- → P2
Regressed by: 589628

Reproduced on Windows 10 x64, Latest Nightly, Beta and Release. Unfortunately, we didn't have a test for this scenario, added it now.

status-firefox71: --- → affected
status-firefox72: --- → affected
status-firefox73: --- → affected

Too late for a fix in 72 at this point, but we could still take a patch for 74.

status-firefox72: fix-optionalwontfix
status-firefox73: affectedfix-optional
status-firefox74: --- → affected

:mattn, can you or someone in your team spend some cycles on this (tracked as carry-over regression for 74)?

Flags: needinfo?(MattN+bmo)

It's not a priority unfortunately since it affects less than 1% of the userbase. We're tracking it as a P2 so will re-evaluate relative to other priorities eventually.

Severity: normal → S3
Flags: needinfo?(MattN+bmo)
See Also: → 1653547
Whiteboard: [passwords:primary-password]
Has Regression Range: --- → yes

Moving to P3 as this is not happening in the next release cycle.

Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.