New issue
Advanced search Search tips

Issue 788526 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Nov 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android
Pri: 3
Type: Bug



Sign in to add a comment

Smart Lock deletes Nest Password without warning.

Project Member Reported by mvanotti@google.com, Nov 26 2017

Issue description

Chrome Version: 62.0.3202.94 (Official Build) (64-bit)
OS: gLinux, Android

What steps will reproduce the problem?
(1) Reset Password at https://home.ft.nest.com
(2) Password will be saved without username. (check passwords.google.com)
(3) Log in with your user in https://home.ft.nest.com
(4) Password will be tied up to your username (this is kind of unintended, but I understand the rationale) (check passwords.google.com)
(5) Try to log in Nest App for Android
(6) Username & Password gets autocompleted in Android App from Smart Lock
(7) Log in fails (because of unknown reasons, unrelated to this issue)
(8) Password gets deleted from Smart Lock (check passwords.google.com)

What is the expected result?

The expected result is that the password is still in passwords.google.com

What happens instead?

The password for the nest page gets deleted. No warnings, nothing.

 

Comment 1 by mvanotti@google.com, Nov 26 2017

Labels: -Pri-1 Pri-3
Chrome Browser still remembers the password and will auto save it again if I try to log in later (even if the pw is deleted from passwords.google.com).

The original bug seems to be an issue with the way the Nest App works, right? It seems kind of anti intuitive that nest app can decide whether or not to delete my password in chrome (this cannot be done from the browser, why can they do it from the app?)

Comment 2 by vabr@chromium.org, Nov 27 2017

Labels: Hotlist-Polish
Status: ExternalDependency (was: Untriaged)
Thanks for the report. Indeed, this seems to be an issue with the Nest App. I will try to get involved people who know the integration with apps better than me.

Comment 3 by mvanotti@google.com, Nov 27 2017

Thanks for the answer, vabr.

After reading, this seems to be part of the API: https://developers.google.com/identity/smartlock-passwords/android/delete-credentials

It seems kind of backwards (how come a web page can't delete their password, but the android app can? and without a warning).

So I think it's two different kind of problems:
- The issue with the Nest App.
- The fact that the android Credentials API allow apps to delete user stored passwords.

Comment 4 by vabr@chromium.org, Nov 28 2017

Status: WontFix (was: ExternalDependency)
Hi mvanotti!

You discovered yourself what I had to ask about :). But indeed, #3 is true, and precisely what I heard confirmed from ssoneff@.

The Auth.CredentialsApi.delete method has reportedly been like this for over 3 years, and there is not much enthusiasm to change that, IIUC. Searching for "Auth.CredentialsApi.delete" in the internal bug tracker points one to the right component to file a bug against the Android-facing API. Not sure where to file a bug against the Nest app.

As this does not seem actionable on Chrome's side, I'll close this bug.

Sign in to add a comment