Open Bug 1641127 Opened 8 months ago Updated 8 months ago

mindbodyonline.com tries to change password to some base64 blob after login

Categories

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Unspecified
macOS
defect

Tracking

()

People

(Reporter: cpeterson, Unassigned)

References

(Depends on 1 open bug, )

Details

Attachments

(1 file)

Steps to reproduce

  1. Load http://clients.mindbodyonline.com/ws.asp?studioid=20638&stype=-99
  2. Log in using Email and Password.
  3. The login will succeed and Firefox will ask if you'd like to save your password, so save it now.
  4. You will now be on mindbody's "MY INFO" page.
  5. Click to another section on the page such as "YOGA & MAT CLASSES" or "ONLINE STORE".

Expected result

The page should switch to the other section.

Actual result

The page does switch to the other section, but Firefox shows a door hanger asking me if I'd like to change my password to some string that looks base64 encoded (something like "xxxxxxxxxxxxxxx/xxxxxx=="). Firefox shows this door hanger every time I switch from the "MY INFO" section to another section.

I've attached the Browser Console log (as per the Password Manager/Debugging wiki's instructions. The log includes all the steps from my STR above: a successful login and then a switch away from the "MY INFO" section.

This door hanger seems like new problem because I use this website every week and first noticed this problem today. I tried bisecting for a Firefox regression using mozregression, but I could reproduce the door hanger at least as far back as Firefox 68 (July 2019). So I suspect this is a website content change, though I don't see any obvious visual differences compared to the website last week.

We are actively working on providing the correct password in a dropdown as a mitigation (parity-Chrome) and will also figure out how to prefer the non-hashed version in some cases.

Severity: -- → S3
Depends on: 1600397
Priority: -- → P3
Attachment #9151964 - Attachment filename: mindbodyonline.com_login.log → mindbodyonline.com_login.txt
Attachment #9151964 - Attachment mime type: application/octet-stream → text/plain

I guess this is slightly different than bug 1600397 since this prompt happens on every navigation rather than only at login time.

You need to log in before you can comment on or make changes to this bug.