554566 - remember password prompt displays credit card number(!) not user id for amtrak site when guest login is used

Status: NEW

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Description

[bob mason]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

I bought a ticked from amtrak.com. I chose NOT to get a username/password there, but just to by the ticket as guest. After I entered all my info, firefox asked me whether I wanted to save my password for ... and it listed my 16 digit credit card number as the username! yikes!

Reproducible: Didn't try

Steps to Reproduce:
1.Because of the financial consequences of trying to reproduce -- buying a ticket -- I am not trying to reproduce it. You would have to pick a route on amtrack.com;
2.chose not to get a login/password there;
3.then buy the ticked using a creadit card.
Actual Results:  
as I explained, it is not safe for me to try to reporduce; what happened is that firefox said "do you want firefox to save the password for , where NNNNMMMMOOOOPPPP is my credit card number.

Expected Results:  
no password save choice should have been given, because there was no login created for this site (amtrak.com)

This is a frightening bug.

Comment 1

[chris hofmann]

Hi Bob, 

If I understand the sequence correctly it sounds like Firefox saved your credit card number in form history on a previous visit to this site or another, then recalled the entry to help in filling out the form.  As part of this feature no sensitive information, like a credit card number, is shared with sites unless you submit the form.

If you don't want to take advantage of the convenience of password and form fill feature in Firefox you can clear history and the feature off.

You can find the controls for this under tools

   Tools | Options 

Menu.  Then select 

  Firefox will: Never Remember History

or 

  Firefox will: Use custom settings for history

Then uncheck search and form history.  

There is more information about this feature on the support site
http://support.mozilla.com/en-US/kb/Form+autocomplete

Comment 2

[bob mason]

I dont see how this is not a bug. firefox displayed my credit card number as if it was a username -- how could this be 'help in filling out the form'? it's the wrong field. If firefox incorrectly identifies the type of the field, who knows what else it might be with the contents of it? had I answered the question yes, firefox would have saved my credit card number -- where?

I'd like to use the remember password feature, but i'd like to have confidence in it.

thanks,

bob

Comment 3

[chris hofmann]

Attachment: amtrak credit card screen

I when through the reservation process up to the point of getting to the credit card entry screen and was unable to reproduce.  a screen shot is attached.  

I entered first few numbers of my credit card but the auto formfill didn't even kick in at that stage.

Is this similar to the screen you saw with the credit card info filled in?

Its possible there could have been site changes to correct the problem you saw.  If amtrak misidentified the form fields and exchanged the user name and credit card fields that might be an explaination for what you saw.

I think we will need to figure out some way to reproduce the problem and capture a screen shot and/or the html content of the page to proceed with any kind of analysis.

After I went though the steps above I abandoned the transaction by closing the window to avoid any charges.  Would it be possible for you do do the same.

Comment 4

[Gregory Gundersen]

I also see this behavior. On amtrak.com, my credit card information is automatically inserted into my username. The only way I can think to replicate this would be to actually make a reservation, submitting the form, so that the credit card information is saved as a username in Firefox.

Comment 5

[Matthew N. [:MattN]]

Debug logging information would make this much easier to troubleshoot. See https://wiki.mozilla.org/Toolkit:Password_Manager/Debugging

A URL would also help so I know which phase of the checkout to expect this on.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Comment 8

[Sergey Galich [:serg]]

Attachment: image.png

Comment 9

[Sergey Galich [:serg]]

I can still see attempt to save Expiry Date as a username and Security Code as a password.

Expiry Date looks like a regular <input type=text>.
Security Code looks like a regular <input type=password> or <input type=text> when revealed.
Card Number can be either marked as <input type=password> or <input type=tel> when revealed.

There are only secondary clues that this is a payment form, e.g. labels and min/maxLength set to 16 for Card Number and 3 for Security Code. All 3 inputs have inputmode=numeric. Form Autofill detects the credit card there, we can probably lean on that.