Closed Bug 888664 Opened 12 years ago Closed 10 years ago

Google's re-authenticate page never auto-fills in the password from the LoginManager

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 733217

People

(Reporter: mozilla, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release) Build ID: 20130511120803 Steps to reproduce: After some period of time, many of Google's services (Wallet, Checkout, Calendar) will detect that you were previously logged in via a session cookie, but will ask you to reauthenticate with your password (the re-auth page displays your currently-logged-in username). So: * Log into your google.com account, and have firefox remember your password * wait some time (10-20 minutes seemed sufficient), possibly restart your browser. * Try to access checkout.google.com, for example * notice that the password field is not filled in. * Log out. Log in. Notice that the password field is filled in. I suspect that the form-completer associated with the Login Manager just needs to have a new "username" field name added. The page has this hidden field for your username/email: <input type="hidden" name="Email" id="Email" value="nothing@mozilla.com"> And displays your email for you to view on the page with: <span id="reauthEmail" class="reauth">nothing@mozilla.com</span> And asks for you password with a field: <input type="password" name="Passwd" id="Passwd"> Actual results: Login manager does not auto-fill in the password. Expected results: The password should have been filled in.
I can confirm. If multiple accounts/passwords for google.com are stored in password manager, it will fail to auto fill password. If you stored single account/password for google.com in password manager, it works to auto fill password.
Status: UNCONFIRMED → NEW
Component: Untriaged → Password Manager
Ever confirmed: true
OS: Windows 8 → All
Product: Firefox → Toolkit
Hardware: x86_64 → All
Version: 21 Branch → Trunk
I think this is wontfix, because browser cannot determine which account is activated now.
Alice0775 said: because browser cannot determine which account is activated now But can't the browser use the hidden field: name="Email" id="Email" To determine which account is currently activated? If there was no currently-active account, the "Email" field would be used to select an account to use. Surely that field can be used to restrict the password lookup? Or is that not desirable, because an attacker could potentially replace the "Email" value with another account id, in order to auto fill the other password and "steal" it?
Confirmed that this functions with only a single account/password entry for google.com.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.