nbtbank.com -- sniffing for "Firefox" causes non-Firefox browsers to fail to remember login information

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
10 years ago
4 years ago

People

(Reporter: mmclagan, Unassigned)

Tracking

Details

(Whiteboard: [bank][login required], URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1

The site in question is the online banking for a NY State bank.  The login
process requires a userid, on a new computer it asks a verification question,
then it asks for the password.  Successful entries result in viewing the bank
accounts, etc.

The problem is, since updating to Firefox 3, the 2nd step doesn't work -- the
bank *NEVER* recognises any PC using FF3 Linux.  I always have to provide the
login id, the verification and the password.

Worse still, if I reboot the laptop into XP and use the standard FF3
distribution from http://www.mozilla.com/en-US/firefox/ the bank skips over the
verification question -- it recognises that I've used the system to log in
previously and just asks for a password.



Reproducible: Always

Steps to Reproduce:
1.
2.
3.



I realize that this is probably next to impossible to work on -- I'm not about
to hand over my userid/verification/password for my bank account!  :)

I have cleared all cookies, cleared all permissions, set very permissive access
to the profile directory and files, basically everything I could short of
reading code or capturing packets.  It doesn't seem to be something simple.

This occurred with both the Fedora 9 distribution version of Firefox and the official binary from mozilla.com.
I don't think we can anything about this.
You should try a new profile on linux first 
http://kb.mozillazine.org/Profile_manager

The next step would be to check the cookies that gets stored and if everything else fails to ask the bank.
(Reporter)

Comment 2

10 years ago
The problem definitely lies with Firefox, as recent versions have confirmed.

I use Fedora RPMs and regularly update.  Some time around 3.0.6 or so, the problem with the 'id verification' disappeared.  It was definitely worked properly in 3.0.8 (didn't keep asking the question) which I was using until about two hours ago.  :(  

They updated to 3.0.9 (which I skipped) and 3.0.10 which I just installed and now it is broken again -- it asks the ID question every time.

I'm going to see about getting copies of each of the RPMs so I can narrow the versions down, but I'm not hopeful that I can.
Nrror it down to an RPM doesn't help at all because you would testing fedora builds and not our builds. Fedora adds AFAIK their own patches in their builds.
Keywords: testcase-wanted
(Reporter)

Comment 4

10 years ago
It's a guess, but reading the release notes suggests that the change may have come from https://bugzilla.mozilla.org/show_bug.cgi?id=470578.

If I can find where it starts/stops working with RPMs it's a start!
(Reporter)

Comment 5

10 years ago
I found Mozilla's own binary distributions.  I downloaded 3.0.4 -> 3.0.10, removed Fedora's RPM and put the 7 versions into /usr/local/lib.  I ran them against the same profile (no changes from run to run).

The results are:

  3.0.4 : Broken (asks for ID repeatedly)
  3.0.5 : Broken
  3.0.6 : Works (skips ID request)
  3.0.7 : Works
  3.0.8 : Works
  3.0.9 : Works
  3.0.10: Broken (again)

I've got the source archives, I'll see if I can figure out something from the diffs (I have no idea of the code structure, so it's almost 100% guessing).
Check the nighlies between 3.0.9 to 3.0.10 to help track this down, you can find them at ftp://ftp.mozilla.org/pub/firefox/nightly/ categorized by date.
(Reporter)

Comment 7

10 years ago
Please accept my apologies.  I hope that nobody else has wasted nearly as much time as I have on this particular report/issue.  I downloaded nearly 2 months worth of nightly builds (03/02 -> 04/23), they all failed.  Very frustrating.  

It occurred to me to check the agent string on a local webserver and saw the builds were all using "GranParadiso/3.0.Xpre" so I accessed about:config and changed the general.useragent.extra.firefox to "Firefox 3.0.9".  Lo and behold, it worked as expected.

Turns out that it doesn't matter what I put in the extra string, as long as it contains "Firefox" and "3.0.[6-9]".  Anything with "3.0.[0-5]" fails.  It now reads: 

   "Firefox/3.0.9; 
    Broken by NBT see: https://bugzilla.mozilla.org/show_bug.cgi?id=457321"

Since the agent string is the only variable that makes a difference, I'm changing the status and going back to doing something productive.  Maybe they'll get the message!
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID
->Over to TE.
Assignee: nobody → english-us
Status: RESOLVED → UNCONFIRMED
Component: General → English US
Keywords: testcase-wanted
Product: Firefox → Tech Evangelism
QA Contact: general → english-us
Resolution: INVALID → ---
Michael, would you be willing to work with us on this? The bank really ought to be sniffing for a specific Gecko version if they're going to insist on sniffing, but it doesn't seem to me that their use of sniffing here has any basis in need at all.

If you are, please send the bank a TE letter:

http://www.mozilla.org/projects/tech-evangelism/site/procedures.html#contacting

and feel free to point them to this bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: x86 → All
Summary: Banking login handled differently in Linux versus XP → nbtbank.com -- sniffing for "Firefox" causes non-Firefox browsers to fail to remember login information

Updated

10 years ago
Blocks: 334967
Whiteboard: [bank][login required]
(Reporter)

Comment 10

10 years ago
I sent the letter (which, btw, still refers to Firefox 2) about 15 minutes ago.  I tried to follow the guidelines but the system won't allow me to make the sort of changes to the bug it suggested (assignment, milestone, etc).
Michael, thanks for doing that. A comment here that you sent the letter is good enough for now; please keep us posted and let us know if they respond. (If they haven't responded within a couple of weeks, you should probably send another letter.)

cl
INCOMPLETE due to lack of activity since the end of 2009.

If someone is willing to investigate the issues raised in this bug to determine whether they still exist, *and* work with the site in question to fix any existing issues, please feel free to re-open and assign to yourself.

Sorry for the bugspam; filter on "NO MORE PRE-2010 TE BUGS" to remove.
Status: NEW → RESOLVED
Last Resolved: 10 years ago8 years ago
Resolution: --- → INCOMPLETE
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.