280732 - Password saved when "No" answered to post login dialog prompt

Status: RESOLVED WORKSFORME

(Toolkit :: Password Manager, defect)

Description

[njh123]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

On two different websites my user login and password was saved and later
repopulated in a future, new session, after answering "NO" to the "Do you want
to save this password..." prompt.

This happened after a clean v1.0 install, with all of the default settings in
tact.  No master password was set.

This is obviously a large security flaw, where I was very concerned to see my
user name and password auto-populated on my banking website.

Reproducible: Always

Steps to Reproduce:
1.Clean install, open Firefox
2.Load site with a login/pass
3.Enter user/pass information
4.Login to website
5.Click the "No" button on the "save password?" prompt
6.Exit Firefox
7.Open Firefox
8.Go to previously used website


Actual Results:  
My username and password were auto-populated, even though I had selected "No",
do not save this username/password.

Expected Results:  
The username/password fields should have been empty.

Comment 1

[Daniel Veditz [:dveditz]]

I could not reproduce this on the consumerreportes.org site linked above nor the
couple others I tried.

The user name was saved by the form auto-fill feature (if it's on), but not the
password.

Comment 2

[Jesse Ruderman]

This doesn't sound like the kind of security bug where it helps to keep the bug
hidden.

WFM.  Please reopen if you still see this bug in Deer Park Alpha 2, or if you
determine that the bug was caused by an extension.