New issue
Advanced search Search tips

Issue 742057 link

Starred by 3 users
Status: Untriaged
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: ----



Sign in to add a comment

Autofill Should Warn About Using a Password that's In Autofill for Some Other Field

Reported by roman.py...@rocketroute.com, Jul 13 2017 
(my assumption is that there is common cookie for e-mail and password fields)

Steps to reproduce:

1. Open any page which requires login
2. Log in and click 'Remember' e-mail and password
3. Log out and close this page
4. Open this page again and start to type something in e-mail field

Actual result:
If first typed digit or symbol will match password than it will be shown in e-mail field

Expected result:
Chrome should offer only entered e-mails but do not shown user's password

(My name is Roman Pysyk; my personal e-mail is romanpysyk@gmail.com
I am waiting for your response)
chrome_bug.jpg
113 KB View Download

Comment 1 by jdoerrie@chromium.org, Jul 14 2017

Labels: Needs-Feedback
Thank you for your bug report. In order to investigate this further we need more information from you:
- On which website did you save the email and password? Given that the email and password are not auto-filled, this is likely a different page than the one in your screenshot.

- Could you open chrome://settings/password and check what was saved as the password for this entry? You claim that the suggestion for the username is your password, so it would be helpful to know what was saved for the password instead.

Thank you very much for your help.

Comment 2 by roman.py...@rocketroute.com, Jul 14 2017 

Hi!

I saved my e-mail (romanpysyk@gmail.com) and passwords on 
- www.fly.rocketroute.com
- www.facebook.com
(and a lot of other sites)

If I start to type character or digit in e-mail field password from user's account will be shown if first entered symbol match. I asked my colleague also check it and passwords also was shown in e-mail field for her accounts.
I am adding one more screen to illustrate behavior on Facebook
chrome_autocomplete.jpg
227 KB View Download

Comment 3 by jdoerrie@chromium.org, Jul 17 2017 

Sorry, I am still unable to reproduce your issue. Could you specify which version of Chrome you are using? You can find this information in the first line when opening chrome://version/ from the omnibox. 

Also I can see the lock icon in the first screenshot you posted. What is shown to you when you click it? You can find it in the top-right corner next to the bookmark star.

Comment 4 by roman.py...@rocketroute.com, Jul 17 2017 

Hi,

Chrome version is: 59.0.3071.115 (Official Build) (64-bit)
Also I attached screen of shown pop-up after clicking key icon
key_icon.jpg
100 KB View Download

Comment 5 by vasi...@chromium.org, Aug 9 2017

Components: -Privacy UI>Browser>Autofill
It's not your saved password that is autofilled. From the screenshot it's clear that you don't have a facebook password saved. What happens is the following:
- Chrome wants to help you with autofilling a phone or email (whatever the site needs as username).
- It has an autofill database where it remembers stuff you typed on this or other sites as a username.
- It just suggests it.

Thus, in the past you typed your password into some input which looked like a username input. You can clear it in chrome://settings/clearBrowserData, check "Autofill form data".

I'm reassigning this to the autofill team.

Comment 6 by mpear...@chromium.org, Dec 13 2017

Labels: -Needs-Feedback
Reading this bug makes me think Chrome should warn before someone uses a password that they've entered into another field at some point.

"It looks like you're trying to enter a password that you've previously entered into a phone number field.  You may want to change to a more secure password."

Comment 7 by mpear...@chromium.org, Feb 14 2018

Summary: Autofill Should Warn About Using a Password that's In Autofill for Some Other Field (was: Password from different accounts can be visible and readable)
Changing the summary per comment 5 to make it more obvious why this has been reassigned to the autofill team.

Sign in to add a comment