latest firefox auto-fills the display:none honeypot field
Bug #1474841 reported by
Nick Moffitt
This bug affects 18 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Canonical IS have encountered an increasing number of people getting the "bad bot" error when trying to log in using firefox on ubuntu. It seems that the recent update introduced behviour that will try to fill in the "hidden" (actually display: none, which is separate) form field with what we believe is an old password.
This is beginning to cripple people's access to online resources within the company.
The workaround has been to open a new "private" tab in firefox and log in there. There do not seem to be any unified sets of plugins that could explain this, so it is likely to be a core feature of firefox itself.
Changed in canonical-identity-provider: | |
status: | New → Confirmed |
To post a comment you must log in.
This appears not to happen with fresh environments, so we expect that this is a function of having a larger and older set of saved passwords for firefox to draw from. The sensitivity of this PII makes it cumbersome to diagnose, but we can try to test hypotheses if we're careful in how we do it.
The field has name="openid. usernamepasswor d" so it's possible this could match some clumsy substring match or regular expression.