New issue
Advanced search Search tips

Issue 847228 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
vasi...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 771657



Sign in to add a comment

Chrome suggests storing a password different from the one put in by user

Project Member Reported by batash@google.com, May 28 2018 
Chrome Version: 66.0.3359.139 (Official Build) (64-bit)
(Full about://version output if necessary: http://gpaste/6004638222385152)
URLs: https://hb.unionbank.co.il/

What steps will reproduce the problem?
Only possible if you have a bank account in Israel's Union Bank (which you probably don't)
1. Go to https://hb.unionbank.co.il/ 
2. Login with your credentials

What is the expected result?
If this is the first time you're logging in, Chrome should suggest storing your credentials, otherwise, nothing is expected.

What happens instead?
Chrome suggests storing your password, however, with a different password than the one you put in in the login phase. Moreover, the password value suggested to be stored is different (appears to be random) every time, triggering Chrome to suggest an update to the stored password, in case this isn't the first time you're logging in.


chrome://password-manager-internals output: http://gpaste/4868026130235392

Additional information:
This website also throws LastPass off with the same issue, so it seems like something about the way that particular website is set up is causing that. Since you probably don't have a bank account to log in with, I'm more than happy to have a live debug session with you whenever we can make that work.

Thanks!

Comment 1 by susan.boorgula@chromium.org, May 28 2018

Labels: Needs-Triage-M66

Comment 2 by viswa.karala@chromium.org, May 29 2018

Cc: vasi...@chromium.org
Labels: Triaged-ET
Thanks for filing the issue!

This issue seems similar to issue:  823562  for which the fix got landed already as per comment# 18, hence with reference to the issue:  823562 , CC'ing the author(Vasilii Sukhanov) of it for further inputs of it.

@Vasilii Sukhanov: Please let us know if the issue: 847228 is similar to Issue:  823562 , if yes, requesting you to merge it to M-67/M-68 if it is safe enough.

Thanks!

Comment 3 by dvadym@chromium.org, May 29 2018

Blocking: 771657
Labels: Pri-3
Status: Available (was: Unconfirmed)
Thanks for report! The reason is that the site does some magic with replacing password values with some random strings. We saw such bugs earlier. Unfortunately it's hard to fix.

Issue:   823562  has nothing to do with this bug.

Comment 4 by batash@google.com, May 29 2018 

As an additional user feedback, it's also beneficial to have Chrome in that case avoid suggesting to store the password altogether. In other words if it is easy/worth-the-effort to only detect when a website is set up that way, in which case either indicating that to the user or even not doing anything, would be better than attempting to store incorrect credentials.

It's possible that detecting that case is probably just as hard as getting the right credentials, but just in case it's easier, this could be useful.

Thanks!

Comment 5 by vasi...@chromium.org, May 30 2018 

We will support password editing and hopefully it'll be a better state.

Sign in to add a comment