Chrome saves wrong password after login
Reported by
gol...@madlan.co.il,
Dec 23 2017
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Steps to reproduce the problem: It happens on my banking site - which is one of the biggest ones in Israel. 1. Login to the bank site at https://hb2.bankleumi.co.il/H/Login.html 2. Chrome suggests to save the password - press ok, click the 'eye' button to see the password - it's not the one you typed. 3. Indeed after trying to login again using saved password - the bank complains of 'wrong password entered'. What is the expected behavior? Chrome should save the correct password What went wrong? Seems Chrome is getting the value of some field from the POST request but this is not the real password, but something else. Did this work before? No Chrome version: 63.0.3239.84 Channel: stable OS Version: 10.0 Flash Version:
,
Dec 28 2017
Unable to reproduce the issue on reported chrome version 63.0.3239.84 and on the latest canary 65.0.3305.0 using windows 10 with the below mentioned steps. 1. Launched Chrome 2. Navigated to https://www.google.com/gmail/ 3. Gave the credentials and saved the password 4. Logged out and tried logging in We observed the log in was successfully done with out any "worng password" message. Note: Checked the issue using https://www.google.com/gmail/ and save password feature as ET team doesn't hold an account with bank mentioned in comment#0 https://hb2.bankleumi.co.il/H/Login.html. Attaching the screen cast of the same. @Reporter: Could you please have a look at the screen cast and let us know if we have missed any steps in reproducing the issue. Could you please check the same in a new profile and mention if the same behavior is seen. It would be highly helpful if provided with sample test credentials(If there are any). Thanks!
,
Dec 28 2017
I'm sorry that I wasn't clear - the feature works well for all sites I use except this one. Since it's an official banking site and I'm only a customer, I cannot provide you a demo credentials. I assumed you could spot the bug just by using foo/bar as credentials. If that's not possible, can you please just explain how can I manually change the saved password and fix it manually? Where are these passwords being saved?
,
Dec 28 2017
Thank you for providing more feedback. Adding requester "vamshi.kommuri@techmahindra.com" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 29 2017
@Reporter: 1) We have tried to login into URL: https://hb2.bankleumi.co.il/H/Login.html, but it shows as invalid credentials 2) Once we login into any site and save the password from the save password popup window, chrome browser will save the passwords in chrome://settings -> Mange passwords section, the we can only vie the passwords which we have saved and we can edit it Please find the attached screencast how to check the saved passwords from the chrome://settings -> Manage passwords section in chrome browser, please let us know if you have any questions. Thanks!
,
Dec 29 2017
,
Dec 31 2017
When logging in, the POST request contains two keys, '__password' and 'password'. Neither of them is the original plain-text password (it seems the frontend of the website performs some local transformation/obfuscation on the password before creating the request). Chrome erroneously saves the value of the '__password' field. If you cannot fix this, I would like to suggest a feature request instead - create an option to manually change a saved password. Right now this is impossible. Thank you.
,
Dec 31 2017
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 2 2018
As per comment #7, the user has requested to create an option to manually change a saved password at chrome://settings/passwords. Hence, considering it as feature request and marking it as untriaged for further inputs from dev team. Thanks...!!
,
Jan 8 2018
wow, this is interesting that a site managed to do that, we try to ignore javascript value and save what user typed. I will investigate. Editable password is in TODO list.
,
Jan 9 2018
,
Jan 9 2018
,
Jan 26 2018
,
Jan 26 2018
I debugged it a bit and the concept is very simple - they just replace the characters as you type, so under no circumstances the input field contains the typed password. How will you overcome this? By storing the actually typed text in memory as it being typed?
,
Jan 26 2018
Probably by allowing you to check and fix the password in the save dialog. Not perfect but I think that your proposal has a to of edgecases and is very hard (impossible?) to get right (think about cursor movement, deletes, insert, paste, ...). We thought about that as well.
,
Jan 26 2018
#15 - editing (as well as simply adding in advance for harder cases!) a password resolves many cases and I agree my contemplation (it was not a proposal, but a question) does not sound realistic. I did not want to come across as negative and dismiss it right when I asked, but it did not seem practical. :) I seem to remember there was an experimental support for editing passwords. It might have been limited to Chrome OS. Anyway, I cannot think of a reason not to allow editing and it seems long overdue.
,
May 14 2018
Agree with #15. Password saving wouldn't be fixed, but we will add password editing to a save bubble. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by krajshree@chromium.org
, Dec 25 2017