Open Bug 286857 Opened 16 years ago Updated 1 year ago

Wrong password field autofilled at https://finanzonline.bmf.gv.at/ due to 2 type=password

Categories

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Product:
Toolkit
Component:
Password Manager: Site Compatibility
Platform:
All
Other
Type:
defect

Tracking

()

People

(Reporter: 3.14, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

WIP - Example recipe (not sure which field to use for the username)
997 bytes, patch
Details | Diff | Splinter Review
Assignee: dveditz → nobody
I was just about to file this bug, obviously I did a year ago.

pi
Problem still exists in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070111 SeaMonkey/1.1

The problem is also true if you switch Javascript off.

pi
For what it's worth, this does work using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1. It does only store one of the two password fields, though. Is there a bug about saving multiple password values?
(In reply to comment #0)
> I have set user_pref("wallet.crypto.autocompleteoverride", true); and

Removing reference to this preference from bug summary, as the site does not use this attribute.
(Fwiw, it would otherwise depend on bug 425145 now.)

Ftr, page source is +/- like
{{
<LABEL for="TID"><b>Teilnehmer-Identifikation:</b></LABEL>
<FORM action='/fon/login?'  name="LoginForm" method="post"> 
<INPUT size="20" type="text" maxlength="12" name="TID" class="inputArea" id="TID" value="">
<LABEL for="BENID"><b>Benutzer-Identifikation:</b></LABEL>
<INPUT size="20" type="password" maxlength="12" name="BENID" id="BENID"	value="">
<LABEL for="PIN"><b>PIN:</b></LABEL>
<INPUT size="20" type="password" maxlength="12" name="PIN" id="PIN" value="">
}}


(In reply to comment #7)
> this does work using Mozilla/5.0 (Macintosh; U; Intel Mac
> OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1. It does only
> store one of the two password fields, though.

Could you check Firefox 3.1b2 and a recent (after bug 433316 & co) SeaMonkey v2.0a3pre ?
QA Contact: privacy
Summary: Password not saved despite setting wallet.crypto.autocompleteoverride to true → Password(s) not saved at https://finanzonline.bmf.gv.at/
With Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090223 SeaMonkey/2.0a3 the problem changed. Something is saved, but even worse, wrong data!

The first (Teilnehmer-Identifikation) is saved correctly, the second (Benutzer-Identifikation) is saved, but incorrectly namely with the content of the third field (PIN) which in turn is left blank.

I could understand (still a bug) that the third field is not saved, but I cannot understand how wrong data is saved. That looks like bug 486829 (when converting the profile wrong data was saved) or bug 474846 comment 16.

pi
If this still happens then, it's a toolkit bug, though.
Component: Passwords & Permissions → Password Manager
Product: SeaMonkey → Toolkit
QA Contact: privacy → password.manager
Sites with more than a user name and password field to remember is 222589.
Status: REOPENED → RESOLVED
Closed: 11 years ago8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 222589
Actually, as I reported, it does save something but fills something else. This is different from bug 222589.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
I can confirm that the password in the second password field is autofilled into the first password field after choosing the username from autocomplete.
Status: REOPENED → NEW
Hardware: x86 → All
Summary: Password(s) not saved at https://finanzonline.bmf.gv.at/ → Wrong password field autofilled at https://finanzonline.bmf.gv.at/
Summary: Wrong password field autofilled at https://finanzonline.bmf.gv.at/ → Wrong password field autofilled at https://finanzonline.bmf.gv.at/ due to 2 type=password
Hi Boris, we recently made improvements to password manager which can help with this bug but we will still only be able to save one "username" and one "password" and we will properly fill them back into the correct fields but I am not sure which field I should save as the "username" field: should it be "Teilnehmer-Identifikation" or "Benutzer-Identifikation"?

Thanks
Flags: needinfo?(3.14)
I would put the username in Teilnehmer and the password in PIN.
Flags: needinfo?(3.14)
Just to double-check:
* What do the 3 fields represent? And which of the first two are associated with an individual?
* Are all three field values chosen by the account holder or are some assigned?
* Suppose a Firefox profile shared by a household has accounts for multiple members of the household on the same bank, could either of Teilnehmer or Benutzer be the same?

Thanks, I'm not familiar with this system and want to make sure the interaction will make sense in various cases.
Flags: needinfo?(3.14)
Honestly, this form is a bit stupid. The first two are both referring to the user. 

If I recall correctly, one is assigned, the second not sure, this is not something I would naturally choose.

This is a government tax filing system.
Flags: needinfo?(3.14)
Yes, it's the government system for all kinds of tax-related business. "Teilnehmer" is a fixed string for the user which will never change. Both "Benutzer-ID" and and "PIN" (Password) can be changed by the user through some means, the latter easily, the former harder to do.

For access to tax records/administration for a company, for example, the company account has a specific "Teilnehmer" ID but different people who can admin things there all can have different "Benutzer-ID"/"PIN" combinations.
Oh, and I think even normal people can create additional "Benutzer-ID"/"PIN" combinations with additional specific permissions so that other persons can do certain actions related to their taxes without full access to their account.
Component: Password Manager → Password Manager: Site Compatibility
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.