Incorrect password suggestions in lastpass extension
Reported by
verheyen...@gmail.com,
Nov 22 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce the problem: 1. Click "Open my vault" from the lastpass extension icon menu 2. Click the edit (wrench icon) button on any item in the Sites list 3. The site settings open, however chrome replaces the username and password fields with an entry from the Chrome Saved Passwords feature (always the same credentials). 4. If I click save, my username and password in lastpass are overwritten with credentials from an old (deleted) entry in chrome saved passwords. This does not happen when I open the lastpass vault via the lastpass website. What is the expected behavior? I guess Chrome should never suggest passwords in an extension. Chrome should look at a sites' URL and then suggests login form values based on that. The lastpass extension url is "chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/vault.html" which matches none of the entries in Chrome saved passwords so chrome shouldn't touch that form. What went wrong? Chrome thinks the lastpass vault form is a login form, which it isn't and overwrites values there. Therefore it is hard to manage my lastpass sites. I prefer to use both chrome saved passwords and lastpass. I use lastpass for my real-life accounts and chrome saved passwords for accounts in development websites. WebStore page: https://chrome.google.com/webstore/detail/lastpass-free-password-ma/hdokiejnpimakedhajhdlcegeplioahd Did this work before? No Chrome version: 62.0.3202.94 Channel: stable OS Version: OS X 10.12.6 Flash Version: It would also be nice if you could delete the whole list of saved passwords with one button click.
,
Nov 24 2017
I don't understand what exactly is meant by a "deleted" entry. Is the entry shown in chrome://settings/passwords? If yes, then it is not deleted. If not, then Chrome has no way to fill that anywhere. Chrome does respect the origin of a frame and would not fill credentials in a frame which were saved for another origin. To understand what happens in the described case, one can try to compare the origins for both the form and the filled credentials as follows: (form) -- Right-click the password field, choose Inspect, then follow-up the HTML structure from that field to its first parent which is an <iframe>. If there is none, the origin of the form is the one shown in the Omnibox (I understand that it's chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/.) If there is a frame, it's src attribute tells the origin. (credential) -- Locate the filled value in chrome://settings/passwords and check its origin. Alternatively, open chrome://password-manager-internals/, then open a second tab with the vault until the credentials are filled. Go back to the internals page and check the logs (or share with us if you want). The logs state the origins (and a lot of other debug info, but no passwords). As for never suggesting in extensions -- I'm not sure that's a good decision. Managing passwords in extensions pages can be useful. And the user should be able to refuse saving credentials on a particular page by clicking Never in the save password prompt and delete any accidentally saved entries in chrome://settings/passwords. As for deleting the whole list of saved passwords: you can do that in chrome://settings/clearBrowserData. We don't offer a 1-click UI for a very good reason: deleting all passwords by accident could be a serious issue for users.
,
Nov 24 2017
I found the issue. The URL of the lastpass extension was indeed listed in chrome://settings/passwords. For some reason this was never synced to passwords.google.com (which is the one I always used, assuming both have an identical list). Removing the entry solved the issue for me.
,
Nov 24 2017
Thank you for providing more feedback. Adding requester "vabr@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 24 2017
,
Nov 29
|
||||
►
Sign in to add a comment |
||||
Comment 1 by jochen@chromium.org
, Nov 23 2017