Open Bug 585591 Opened 14 years ago Updated 7 months ago

Password manager detects an invisible input with display:none as the username field (affects vBulletin 4)

Categories

(Toolkit :: Password Manager, defect, P3)

Product:
Toolkit
Component:
Password Manager
Type:
defect

Tracking

()

People

(Reporter: Surfer56, Unassigned, NeedInfo)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: testcase, Whiteboard: [passwords:heuristics])

Attachments

(3 files)

password manager
13.37 KB, image/png
Details
Reduced test case
626 bytes, text/html
Details
http://tracker.vbulletin.com/browse/VBIV-6360
349.75 KB, application/pdf
Details 
User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0b4pre) Gecko/20100809 Minefield/4.0b4pre
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b4pre) Gecko/20100809 Minefield/4.0b4pre

Password manager can't restore Login/Password for new vBulletin version.

Reproducible: Always

Steps to Reproduce:
1. Login to forum.
2. Click "Remember" for forum.
3. LogOut from forum.
Actual Results:  
Unable to login with saved Authorization data.
Component: Account Manager → Password Manager
Product: Firefox → Toolkit
QA Contact: account.manager → password.manager
Same problem on http://www.mv-detox.com/forum.php
And same problem on http://defendium.info/forum.php
Attached image password manager 

    
    

    
  
http://filesharingtalk.com/ same

    
    

    
  
It looks like vBulletin bug http://tracker.vbulletin.com/browse/VBIV-6360 which has been fixed in vBulletin 4.0.8

    
    

    
  
(In reply to Alexander L. Slovesnik from comment #5)
> It looks like vBulletin bug http://tracker.vbulletin.com/browse/VBIV-6360
> which has been fixed in vBulletin 4.0.8

I can't see that tracker bug and I'm also seeing it affecting http://forums.vwvortex.com which claims to be running version 4.2.1.

The problem is that there is a hidden <input type="text" value="Password" style="display:none"> at submision time that vBulletin uses to display the "Password" placeholder text before the password field is focused. Upon focusing the placeholder field, it is swapped with the real password field.

This should probably be fixed in vBulletin as they should use the placeholder attribute on <input> in supported browsers to get a behaviour that is easier for browsers to understand. It may already be fixed in vBulletin 5 as most affected sites seems to be running version 4 AFAICT. I will attach a reduced testcase.
URL: http://encode.ru/http://forums.vwvortex.com
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
Summary: Password manager doesn't work properly in new vBulletin → Password manager detects an input with display:none as the username field (affects vBulletin 4)

    
    

    
  

      
      
      
      

        Attached file
          
        Reduced test case
      

    


  

    
  
Keywords: testcase

    
    

    
  
vBulletin could have also switched the hidden filed to type="hidden" to prevent this as type="hidden" is not recognized as a username field type[1]. We could make _isUsernameFieldType from [1] smarter and ignore fields with display:none and maybe visibility:hidden at the risk of breaking other websites.

[1] https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm?rev=e7d886615ad8#267

    
    

    
  
Alexander, do you still have access to the tracker issue in comment 5 and if so, can you provide me with a copy of the information?
Flags: needinfo?(unghost)

    
    

    
  


  
(In reply to Matthew N. [:MattN] from comment #10)
> Alexander, do you still have access to the tracker issue in comment 5 and if
> so, can you provide me with a copy of the information?

See attachment.
Flags: needinfo?(unghost)

    
    

    
  
(In reply to Alexander L. Slovesnik from comment #11)
> Created attachment 8346427 [details]
> http://tracker.vbulletin.com/browse/VBIV-6360
> 
> (In reply to Matthew N. [:MattN] from comment #10)
> > Alexander, do you still have access to the tracker issue in comment 5 and if
> > so, can you provide me with a copy of the information?
> 
> See attachment.

Thank you very much.

I see that the bug is still open in their tracker and luckily some people have found workarounds such as re-ordering the password placeholder to be after the real password field.

If anyone knows whether this is fixed in vBulletin 5, please share so we can prioritize this bug accordingly.

Dolske, do you think that the proposal in comment 9 makes sense? 

An alternative is to modify the loop at [1] to use the first field before the password field as the username unless it's display:none (and similar) in which case we continue searching further to find the first non-display:none field to replace |usernameField|. We could even limit that to looking only one element further to be conservative.

Both proposals may break existing working sites IMO but it's hard to predict.

[1] https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm?rev=e7d886615ad8#311
Flags: needinfo?(dolske)

    
    

    
  
This is basically the opposite of the issue reported in bug 733217, no?

The vBulletin report (attachment 8346427 [details]) makes it sound like it's broken in a number of other browsers, probably for the same reason. Sounds like the proper resolution is for vBulletin to fix their code. Especially given that making this change could break password manager on other sites (ala 733217), and this doesn't seem to have been issue reported outside of vBulletin.

Additionally, if I'm reading the report correctly, this field is just being used to show an input with "Password" in it, as a clue for what to type there. The modern way to do this in HTML is with the |placeholder| attribute... <input type=password placeholder="Type yer password here!"> See bug 888806 where we fixed this for Bugzilla!

I'd suggest we WONTFIX this bug.
Flags: needinfo?(dolske)

    
    

    
  
The vwvortex webmaster has been notified of the issue.

    
    

    
  
(In reply to Justin Dolske [:Dolske] from comment #14)
> I'd suggest we WONTFIX this bug.

I hesitated to do so since there are a decent number of vBulletin 4 sites in existence that are affected.

Can anyone confirm that this is fixed in a default installation of vBulletin 5 in all standard themes?

    
    

    
  
+1

    
    

    
  
I created a jsfiddle to reproduce this problem:
http://jsfiddle.net/nU8c3/show/

    
    

    
  
Similar Bug 997685

    
  
Whiteboard: [passwords:heuristics]

    
  
Blocks: 1583576

    
  
Priority: -- → P3
Summary: Password manager detects an input with display:none as the username field (affects vBulletin 4) → Password manager detects an invisible input with display:none as the username field (affects vBulletin 4)

    
    

    
  
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.


Severity: major → --

    
    

    
  
The severity field is not set for this bug.

:serg, could you have a look please?


For more information, please visit BugBot documentation.


Flags: needinfo?(sgalich)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: