remember password prompt displays credit card number(!) not user id for amtrak site when guest login is used

NEW
Unassigned

Status

()

defect
--
major
10 years ago
Last year

People

(Reporter: mason.robert068, Unassigned)

Tracking

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

()

Attachments

(1 attachment)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

I bought a ticked from amtrak.com. I chose NOT to get a username/password there, but just to by the ticket as guest. After I entered all my info, firefox asked me whether I wanted to save my password for ... and it listed my 16 digit credit card number as the username! yikes!

Reproducible: Didn't try

Steps to Reproduce:
1.Because of the financial consequences of trying to reproduce -- buying a ticket -- I am not trying to reproduce it. You would have to pick a route on amtrack.com;
2.chose not to get a login/password there;
3.then buy the ticked using a creadit card.
Actual Results:  
as I explained, it is not safe for me to try to reporduce; what happened is that firefox said "do you want firefox to save the password for , where NNNNMMMMOOOOPPPP is my credit card number.

Expected Results:  
no password save choice should have been given, because there was no login created for this site (amtrak.com)

This is a frightening bug.
Version: unspecified → 3.6 Branch
Hi Bob, 

If I understand the sequence correctly it sounds like Firefox saved your credit card number in form history on a previous visit to this site or another, then recalled the entry to help in filling out the form.  As part of this feature no sensitive information, like a credit card number, is shared with sites unless you submit the form.

If you don't want to take advantage of the convenience of password and form fill feature in Firefox you can clear history and the feature off.

You can find the controls for this under tools

   Tools | Options 

Menu.  Then select 

  Firefox will: Never Remember History

or 

  Firefox will: Use custom settings for history

Then uncheck search and form history.  

There is more information about this feature on the support site
http://support.mozilla.com/en-US/kb/Form+autocomplete
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
I dont see how this is not a bug. firefox displayed my credit card number as if it was a username -- how could this be 'help in filling out the form'? it's the wrong field. If firefox incorrectly identifies the type of the field, who knows what else it might be with the contents of it? had I answered the question yes, firefox would have saved my credit card number -- where?

I'd like to use the remember password feature, but i'd like to have confidence in it.

thanks,

bob
I when through the reservation process up to the point of getting to the credit card entry screen and was unable to reproduce.  a screen shot is attached.  

I entered first few numbers of my credit card but the auto formfill didn't even kick in at that stage.

Is this similar to the screen you saw with the credit card info filled in?

Its possible there could have been site changes to correct the problem you saw.  If amtrak misidentified the form fields and exchanged the user name and credit card fields that might be an explaination for what you saw.

I think we will need to figure out some way to reproduce the problem and capture a screen shot and/or the html content of the page to proceed with any kind of analysis.

After I went though the steps above I abandoned the transaction by closing the window to avoid any charges.  Would it be possible for you do do the same.
I also see this behavior. On amtrak.com, my credit card information is automatically inserted into my username. The only way I can think to replicate this would be to actually make a reservation, submitting the form, so that the credit card information is saved as a username in Firefox.
Component: Security → Password Manager
Product: Firefox → Toolkit
Debug logging information would make this much easier to troubleshoot. See https://wiki.mozilla.org/Toolkit:Password_Manager/Debugging

A URL would also help so I know which phase of the checkout to expect this on.
Severity: critical → major
Status: RESOLVED → REOPENED
Ever confirmed: true
OS: Windows Vista → All
Hardware: x86 → All
Resolution: INVALID → ---
Version: 3.6 Branch → Trunk
Status: REOPENED → NEW
Component: Password Manager → Password Manager: Site Compatibility
Depends on: 1185000
You need to log in before you can comment on or make changes to this bug.