Open Bug 1745712 Opened 2 years ago Updated 20 days ago

Password manager updates wrong password signing-on to banking.westpac.com.au

Categories

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Firefox 96
defect

Tracking

()

UNCONFIRMED

People

(Reporter: bugzilla, Unassigned)

References

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0

Steps to reproduce:

Used Password Manager to remember Customer ID and correct password when signing-in to banking.westpac.com.au, then signed-out and attempted to sign-in again.

Actual results:

Even when the password entered matches the (correct) password previously stored in Password Manager, Firefox still asks to "Update" the password. Accepting the offer to update the password replaces the correct password with an incorrect, seemingly random password in about:logins.

Expected results:

The password manager should not offer to "update" the password if it matches that in about:logins. I have no idea from where the replacement password is coming in this case — it certainly is not user input.

The Bugbug bot thinks this bug should belong to the 'Firefox::about:logins' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → about:logins

:oneofthedamons thanks for reporting this bug.

I've took a quick look and this site uses some hidden fields for username/password. Moving to Site compatibility.

Component: about:logins → Password Manager: Site Compatibility
Product: Firefox → Toolkit

Strangely I can't replicate this issue on Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0.

Sorry should have added Version string 96.0b4

(In reply to oneofthedamons from comment #4)

Sorry should have added Version string 96.0b4

Hi oneofthedamons,
Could you share what the Firefox version you were using when you encountered this issue?

Flags: needinfo?(bugzilla)

96.0b4 on MacOS. It's strange that I can't replicate it on 96.0b4 on Windows 10, but I've tried it in Troubleshooting Mode and a Private Window to eliminate an extension or state causing the issue on MacOS, but it still occurs…

Flags: needinfo?(bugzilla)

The severity field is not set for this bug.
:sgalich, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)

Hi oneofthedamons:
I am not able to reproduce this issue on MacOS 12.0.1
Could you help collect debugging logs for this issue?
Here is how to do that, there is also a video guide: https://wiki.mozilla.org/Toolkit:Password_Manager/Debugging
Really appreciate for your help!

Flags: needinfo?(bugzilla)
Flags: needinfo?(sgalich)

Done! I wasn't comfortable with the username being included in the debug logs so I have redacted each occurrence with the text "REDACTED" — I hope that's ok?

Flags: needinfo?(bugzilla)

The severity field is not set for this bug.
:sgalich, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)

Hi oneofthedamons,
Thank you for dumping the log! and yes, replace the username is not a problem at all :)
From the log, Firefox picked the correct password field to check whether we should show the doorhanger. And it does think the password is different than the saved one, that's weird.
So I would like to confirm my understanding:

  1. When you go to the page, the password we autofilled or autocomplete is correct
  2. After you click "Sign In", the password in the doorhanger is the WRONG one.

If the above is true, could you help open the Developer Tool Console and type document.querySelector("input[name=password").value (this should print the value of the password field).
And let me know whether the value printed is the correct password or the wrong password coming from no where (of course, don't share the password with me, just which case it is).

Also, I saw you reproduce this bug in private browsing mode. Could you also do a test whether this can be reproduced in non-private browsing mode? Thank you!

Flags: needinfo?(sgalich) → needinfo?(bugzilla)

When I input the correct password into the password field, and then press the "Update" button in "Update login for westpac.com.au?" (see attachment), the password I have entered is not the password that is updated in Password Manager. It's a different, seemingly random, password each time.

If I manually edit the password in about:logins so that it is the correct password, then upon reloading banking.westpac.com.au it autofills correctly, the correct password is returned by document.querySelector("input[name=password").value in the Developer Tool console and the site allows me to login. However the same behaviour then occurs: Firefox offers to update the password (even though it is the same password as I manually entered in about:logins), and upon allowing Password Manager to update the password it replaces the correct password with an incorrect password. When I reload banking.westpac.com.au the password autofills with the (now incorrect) value in about:logins which is the same value returned by document.querySelector("input[name=password").value in the Developer Tool console.

I hope that makes sense?

The seemingly random, replacement password is always of the same form; Westpac has ridiculous password requirements that indicate their systems are stuck in c.1995 — "exactly 6 characters including at least 1 number and 1 letter". The random password is always of this form, which may be significant.

I confirm this happens in non-private browsing mode too.

Flags: needinfo?(bugzilla)

Hi oneofthedamons, really appreciate for the detailed information!
I know I've asked a lot, but could you help check if this issue is reproduced in trobuleshooting mode[1]? Thanks!

[1] https://support.mozilla.org/en-US/kb/diagnose-firefox-issues-using-troubleshoot-mode

Flags: needinfo?(bugzilla)

Yep as per Comment 6 I've already tried in Troubleshooting Mode, unless you wanted me to do the specific steps you outlined in Comment 11 in Troubleshooting Mode?

Flags: needinfo?(bugzilla)

(In reply to oneofthedamons from comment #14)

Yep as per Comment 6 I've already tried in Troubleshooting Mode, unless you wanted me to do the specific steps you outlined in Comment 11 in Troubleshooting Mode?

ah, you're right, I forgot that. No, you don't have to test again.

The severity field is not set for this bug.
:sgalich, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)

Hi oneofthedamons,
Could you help test if this issue is reproduced in Safari and Chrome, really appreciate for your help!

Flags: needinfo?(bugzilla)

I can't replicate the issue on either Edge or Safari.

As part of the process I entirely deleted the entry for banking.westpac.com.au in the Firefox about:logins, but the issue still occurs when it is recreated.

My position with these things is I assume it's usually something I've done (particularly with my very old Firefox profile!) so I tried downloading Nightly, and not connecting it via Firefox Sync. Replicated the issue on this non-customised Nightly installation.

Flags: needinfo?(bugzilla)
Severity: -- → S2
Flags: needinfo?(sgalich)

Hi oneofthedamons,
Could you help set the pref signon.formlessCapture.enabled to false and try again? Thanks!

Flags: needinfo?(bugzilla)
Priority: -- → P3

That resolved the issue!

Flags: needinfo?(bugzilla)
Depends on: 1771806
You need to log in before you can comment on or make changes to this bug.