Open Bug 1675679 Opened 5 years ago Updated 5 years ago

Password pre-filling breaks Barclays ePDQ back office

Categories

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Product:
Toolkit
Component:
Password Manager: Site Compatibility
Version:
Firefox 82
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jake, Unassigned)

Details

Attachments

(2 files)

HTML page content where the problem occurs, from 'Save As HTML'
67.58 KB, text/html
Details
Copy-and-paste of browser log
9.72 KB, text/plain
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0

Steps to reproduce:

  1. Create account with Barclays for ePDQ
  2. Log in to test back-office at https://mdepayments.epdq.co.uk/
  3. Select to save password
  4. Go to Configuration > Technical Information > Data origin and verification

Actual results:

URL of the merchant page is pre-filled with PSPID (login ID).
SHA-IN is pre-filled with password.

Expected results:

Neither of the above.

It seems that Firefox is abusing the <input type=password> and deciding the previous field must be the username. Inspection shows that the autocomplete=off attribute is present on both fields.

This issue seems to pose further complications with Barclays JavaScript own handling of these fields, as such I had to use a different browser.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Thanks for the report. As this issue requires a Barclays account, its not something we'll be able to easily investigate. Would you be able to get some more information for us to help troubleshoot this issue, and see if there is a fix that might have general application, or if this needs a site-specific fix?

Please follow the steps on https://wiki.mozilla.org/Toolkit:Password_Manager/Debugging to gather the debug logs when you load this login page to reproduce the problem, and attach/paste the output into this bug. It would also be helpful to see the HTML produced for the login form. You can use File > Save Page As.. to capture the markup for the page, or the Developer Tools to Copy > Copy Inner HTML on the <body> of the page. Please check there is no personally-identifiable information like your username or password in the output before attaching here. If you are worried about it, feel free to email me directly.

Component: Password Manager → Password Manager: Site Compatibility
Flags: needinfo?(jake)
Flags: needinfo?(jake)

Requested files attached. I've redacted one peice of personally-identifiable information; if you spot any others, please redact.

Please note this is not a login form, it's a form that happens to use some fields with <input type=password> in order to hide them from prying eyes, as is the intention of that input type.

PS. The attached is from the 'test' backoffice portal for Barclaycard ePDQ. It had issues with Chrome too, but was usable: in Chrome it was actually possible both to submit a change to the SHA-IN passphrase and view its current value (from memory).

PPS. Meant to say that the 'live' backoffice portal seemed to behave better, though I only tested with Chrome. So if anyone is testing against the live Barclays interface, this could be relevant.

Thanks for all your help in providing this extra information. This will be valuable as we consider ways to improve how we detect and fill login forms and fields.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: