Password manager updates wrong password signing-on to banking.westpac.com.au
Categories
(Toolkit :: Password Manager: Site Compatibility, defect, P3)
Tracking
()
People
(Reporter: bugzilla, Unassigned, NeedInfo)
References
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
Steps to reproduce:
Used Password Manager to remember Customer ID and correct password when signing-in to banking.westpac.com.au, then signed-out and attempted to sign-in again.
Actual results:
Even when the password entered matches the (correct) password previously stored in Password Manager, Firefox still asks to "Update" the password. Accepting the offer to update the password replaces the correct password with an incorrect, seemingly random password in about:logins.
Expected results:
The password manager should not offer to "update" the password if it matches that in about:logins. I have no idea from where the replacement password is coming in this case — it certainly is not user input.
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::about:logins' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 2•3 years ago
|
||
:oneofthedamons thanks for reporting this bug.
I've took a quick look and this site uses some hidden fields for username/password. Moving to Site compatibility.
Reporter | ||
Comment 3•3 years ago
|
||
Strangely I can't replicate this issue on Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0.
Reporter | ||
Comment 4•3 years ago
|
||
Sorry should have added Version string 96.0b4
Comment 5•3 years ago
|
||
(In reply to oneofthedamons from comment #4)
Sorry should have added Version string 96.0b4
Hi oneofthedamons,
Could you share what the Firefox version you were using when you encountered this issue?
Reporter | ||
Comment 6•3 years ago
|
||
96.0b4 on MacOS. It's strange that I can't replicate it on 96.0b4 on Windows 10, but I've tried it in Troubleshooting Mode and a Private Window to eliminate an extension or state causing the issue on MacOS, but it still occurs…
Comment 7•3 years ago
|
||
The severity field is not set for this bug.
:sgalich, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 8•3 years ago
|
||
Hi oneofthedamons:
I am not able to reproduce this issue on MacOS 12.0.1
Could you help collect debugging logs for this issue?
Here is how to do that, there is also a video guide: https://wiki.mozilla.org/Toolkit:Password_Manager/Debugging
Really appreciate for your help!
Updated•3 years ago
|
Reporter | ||
Comment 9•3 years ago
|
||
Done! I wasn't comfortable with the username being included in the debug logs so I have redacted each occurrence with the text "REDACTED" — I hope that's ok?
Comment 10•3 years ago
|
||
The severity field is not set for this bug.
:sgalich, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 11•3 years ago
•
|
||
Hi oneofthedamons,
Thank you for dumping the log! and yes, replace the username is not a problem at all :)
From the log, Firefox picked the correct password field to check whether we should show the doorhanger. And it does think the password is different than the saved one, that's weird.
So I would like to confirm my understanding:
- When you go to the page, the password we autofilled or autocomplete is correct
- After you click "Sign In", the password in the doorhanger is the WRONG one.
If the above is true, could you help open the Developer Tool Console and type document.querySelector("input[name=password").value
(this should print the value of the password field).
And let me know whether the value printed is the correct password or the wrong password coming from no where (of course, don't share the password with me, just which case it is).
Also, I saw you reproduce this bug in private browsing mode. Could you also do a test whether this can be reproduced in non-private browsing mode? Thank you!
Reporter | ||
Comment 12•3 years ago
|
||
When I input the correct password into the password field, and then press the "Update" button in "Update login for westpac.com.au?" (see attachment), the password I have entered is not the password that is updated in Password Manager. It's a different, seemingly random, password each time.
If I manually edit the password in about:logins so that it is the correct password, then upon reloading banking.westpac.com.au it autofills correctly, the correct password is returned by document.querySelector("input[name=password").value
in the Developer Tool console and the site allows me to login. However the same behaviour then occurs: Firefox offers to update the password (even though it is the same password as I manually entered in about:logins), and upon allowing Password Manager to update the password it replaces the correct password with an incorrect password. When I reload banking.westpac.com.au the password autofills with the (now incorrect) value in about:logins which is the same value returned by document.querySelector("input[name=password").value
in the Developer Tool console.
I hope that makes sense?
The seemingly random, replacement password is always of the same form; Westpac has ridiculous password requirements that indicate their systems are stuck in c.1995 — "exactly 6 characters including at least 1 number and 1 letter". The random password is always of this form, which may be significant.
I confirm this happens in non-private browsing mode too.
Comment 13•3 years ago
|
||
Hi oneofthedamons, really appreciate for the detailed information!
I know I've asked a lot, but could you help check if this issue is reproduced in trobuleshooting mode[1]? Thanks!
[1] https://support.mozilla.org/en-US/kb/diagnose-firefox-issues-using-troubleshoot-mode
Updated•3 years ago
|
Reporter | ||
Comment 14•3 years ago
|
||
Yep as per Comment 6 I've already tried in Troubleshooting Mode, unless you wanted me to do the specific steps you outlined in Comment 11 in Troubleshooting Mode?
Comment 15•3 years ago
|
||
(In reply to oneofthedamons from comment #14)
Yep as per Comment 6 I've already tried in Troubleshooting Mode, unless you wanted me to do the specific steps you outlined in Comment 11 in Troubleshooting Mode?
ah, you're right, I forgot that. No, you don't have to test again.
Comment 16•3 years ago
|
||
The severity field is not set for this bug.
:sgalich, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 17•3 years ago
|
||
Hi oneofthedamons,
Could you help test if this issue is reproduced in Safari and Chrome, really appreciate for your help!
Reporter | ||
Comment 18•3 years ago
|
||
I can't replicate the issue on either Edge or Safari.
As part of the process I entirely deleted the entry for banking.westpac.com.au in the Firefox about:logins, but the issue still occurs when it is recreated.
My position with these things is I assume it's usually something I've done (particularly with my very old Firefox profile!) so I tried downloading Nightly, and not connecting it via Firefox Sync. Replicated the issue on this non-customised Nightly installation.
Updated•3 years ago
|
Comment 19•3 years ago
|
||
Hi oneofthedamons,
Could you help set the pref signon.formlessCapture.enabled
to false
and try again? Thanks!
Updated•3 years ago
|
Comment 23•4 months ago
|
||
Hello, I did spot a few other references where this setting (signon.formlessCapture.enabled) needed to be set to false, notably where passwords contained the dollar sign, but there may be other real or edge cases.
As non-technical users would be reluctant to venture into "about:config", especially given the warning at the entry point, I was wondering if there was any current work going on in the "formless capture" code area? It would be good PR to get this area clean and glitch-free, as it would avoid losing loyal users to the other well-known browsers that do NOT exhibit these issues (as far as I can tell from the STR's and workarounds posted).
Description
•