Open Bug 1702967 Opened 5 years ago Updated 1 year ago

Password manager does not store multiple accounts on the same website, where the domain in the email address is the same

Categories

(Firefox :: about:logins, defect, P3)

Product:
Firefox
Component:
about:logins
Version:
Firefox 87
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox87 --- affected
firefox88 --- affected
firefox89 --- affected

People

(Reporter: theodoretucker0, Unassigned)

Details

Attachments

(2 files)

about-login-bug-screenshots-20210406.pdf
410.44 KB, application/pdf
Details
Log.txt
19.59 KB, text/plain
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

Steps to reproduce:

I created an account with the username example1@example.com on a website (NHS Test and Trace, https://access.login.nhs.uk/enter-email), and chose a randomly generated password for the account.

I then created another account on the same website with the username example2@example.com, and chose a randomly generated password for the account.

Actual results:

The entry in Firefox Lockwise for example1@example.com was overwritten with the entry for example2@example.com, and the same randomly generated password was provided for both.

Expected results:

I expected that two seperate entries would appear in Firefox Lockwise, one for each email-password combination.

I noted that a separate entry and password was created for an email address using a different domain, e.g. example3@anotherexample.com.

The Bugbug bot thinks this bug should belong to the 'Cloud Services::Server: Firefox Accounts' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Server: Firefox Accounts
Product: Firefox → Cloud Services
Component: Server: Firefox Accounts → about:logins
OS: Unspecified → Linux
Product: Cloud Services → Firefox
Hardware: Unspecified → x86_64

Hi theodoretucker0,

I followed the steps you described and observed the following:

  1. When you created the second account, right after you typed in the new e-mail and clicked "Continue", did a doorhanger appear asking if you would like to save the new login? (contains the new e-mail and the generated password from the previous account - masked)

  2. If you Canceled that doorhanger and proceed further, generated a new password (the same one as before - you will need to restart Firefox for a new password to be generated) and submitted the form -> a Save username and password was displayed with the new username?

I just followed what I described above and I got 2 separate entries with the same generated password (If I did not restart).
If you could re-do the scenario with bogus emails and see how it goes that would be great, thanks! Also, a screen-recording could also be useful in case it takes to long to type down things.

Thank you!

Flags: needinfo?(theodoretucker0)
Flags: needinfo?(theodoretucker0)

Hello Timea, thank you for your message.

  1. I have attached screenshots (in a PDF -- about-login-bug-screenshots-20210406.pdf) which shows what I experienced.
  2. If I cancel the doorhanger (I assume the one with options "Update" and "Don't Update"?) and submit the form, then no entry at all appears in about:logins, meaning that the 1st test account is not overwritten.

I hope this is helpful, and that I have not missed anything.

Thanks again.

That pdf doc was top-notch! Thank you very much for taking the time to create it. I also managed to reproduce the issue now on the latest Nightly 89 as well as on the latest Release 87.

To summarize it up:

  • This seems to be related if not strongly connected to the password generation feature. I can't reproduce it by doing the same scenario with hand written passwords on any other site register (or login with forced password generation option) form. (I will be prompted to save new login credentials). I could reproduce the issue with simple usernames as well, not specifically emails with the same domain.

  • If we use password generation again (that is the same as the one for the first saved entry), we will be prompted to update the first entry that got saved with the same generated password although we have a new username typed in. The new username is captured and displayed in the doorhanger but the prompt will ask the user to update the existing login and it will overwrite it.

Attaching debug log in hope it can further help investigations. My memory is a bit shady for what change could've caused this or if there is a known bug. Will try to look into it a bit more.
Thanks again for this bug report!

Steps to repro:

  1. Go to https://luke-chang.github.io/autofill-demo/autocomplete-all.html
  2. Fill in the Register form at the bottom of the page with:
  • username1
  • generated password
    (choose to update so you have the complete credentials saved and reload the form)
  1. Fill in the Register form at the bottom of the page with:
  • username2
  • generated password (with the password generation option)

(open the dismissed doorhanger and see that it offers to update, choose to update -> the first credentials are overwritten with the new username)

Severity: -- → S3
Status: UNCONFIRMED → NEW
status-firefox87: --- → affected
status-firefox88: --- → affected
status-firefox89: --- → affected
Ever confirmed: true

Thanks for spotting and filing this, with all the details you've attached here.

We determine whether to create a new login record or update an existing on in/around here: https://searchfox.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerPrompter.jsm#401 We just need to be careful not to regress the case where a user is adding or editing the username on a new login with a generated password.

Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: