Open Bug 554566 Opened 15 years ago Updated 4 months ago

remember password prompt displays credit card number(!) not user id for amtrak site when guest login is used


(Toolkit :: Password Manager: Site Compatibility, defect, P3)





(Reporter: mason.robert068, Unassigned)




(Whiteboard: [fxcm-debt])


(2 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

I bought a ticked from I chose NOT to get a username/password there, but just to by the ticket as guest. After I entered all my info, firefox asked me whether I wanted to save my password for ... and it listed my 16 digit credit card number as the username! yikes!

Reproducible: Didn't try

Steps to Reproduce:
1.Because of the financial consequences of trying to reproduce -- buying a ticket -- I am not trying to reproduce it. You would have to pick a route on;
2.chose not to get a login/password there;
3.then buy the ticked using a creadit card.
Actual Results:  
as I explained, it is not safe for me to try to reporduce; what happened is that firefox said "do you want firefox to save the password for , where NNNNMMMMOOOOPPPP is my credit card number.

Expected Results:  
no password save choice should have been given, because there was no login created for this site (

This is a frightening bug.
Version: unspecified → 3.6 Branch
Hi Bob, 

If I understand the sequence correctly it sounds like Firefox saved your credit card number in form history on a previous visit to this site or another, then recalled the entry to help in filling out the form.  As part of this feature no sensitive information, like a credit card number, is shared with sites unless you submit the form.

If you don't want to take advantage of the convenience of password and form fill feature in Firefox you can clear history and the feature off.

You can find the controls for this under tools

   Tools | Options 

Menu.  Then select 

  Firefox will: Never Remember History


  Firefox will: Use custom settings for history

Then uncheck search and form history.  

There is more information about this feature on the support site
Group: core-security
Closed: 15 years ago
Resolution: --- → INVALID
I dont see how this is not a bug. firefox displayed my credit card number as if it was a username -- how could this be 'help in filling out the form'? it's the wrong field. If firefox incorrectly identifies the type of the field, who knows what else it might be with the contents of it? had I answered the question yes, firefox would have saved my credit card number -- where?

I'd like to use the remember password feature, but i'd like to have confidence in it.


I when through the reservation process up to the point of getting to the credit card entry screen and was unable to reproduce.  a screen shot is attached.  

I entered first few numbers of my credit card but the auto formfill didn't even kick in at that stage.

Is this similar to the screen you saw with the credit card info filled in?

Its possible there could have been site changes to correct the problem you saw.  If amtrak misidentified the form fields and exchanged the user name and credit card fields that might be an explaination for what you saw.

I think we will need to figure out some way to reproduce the problem and capture a screen shot and/or the html content of the page to proceed with any kind of analysis.

After I went though the steps above I abandoned the transaction by closing the window to avoid any charges.  Would it be possible for you do do the same.
I also see this behavior. On, my credit card information is automatically inserted into my username. The only way I can think to replicate this would be to actually make a reservation, submitting the form, so that the credit card information is saved as a username in Firefox.
Component: Security → Password Manager
Product: Firefox → Toolkit
Debug logging information would make this much easier to troubleshoot. See

A URL would also help so I know which phase of the checkout to expect this on.
Severity: critical → major
Ever confirmed: true
OS: Windows Vista → All
Hardware: x86 → All
Resolution: INVALID → ---
Version: 3.6 Branch → Trunk
Component: Password Manager → Password Manager: Site Compatibility
Depends on: 1185000
Priority: -- → P3

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)
Severity: -- → S3
Flags: needinfo?(sgalich)
Priority: P3 → P1
Whiteboard: [fxcm-debt]
Attached image image.png

I can still see attempt to save Expiry Date as a username and Security Code as a password.

Expiry Date looks like a regular <input type=text>.
Security Code looks like a regular <input type=password> or <input type=text> when revealed.
Card Number can be either marked as <input type=password> or <input type=tel> when revealed.

There are only secondary clues that this is a payment form, e.g. labels and min/maxLength set to 16 for Card Number and 3 for Security Code. All 3 inputs have inputmode=numeric. Form Autofill detects the credit card there, we can probably lean on that.

Priority: P1 → P3
You need to log in before you can comment on or make changes to this bug.