Auto-fill puts the password in an incorrect field on CVS Caremark's site

[lddubeau]

Describe the Bug

Auto-fill puts the password in an incorrect field on https://www.caremark.com

Steps To Reproduce

1. Turn on "Enable Auto-fill On Page Load
   " in your bitwarden extension.
2. Create a login entry with username foo@example.com, password bar and having a URL set to https://www.caremark.com and matching on the domain name.
3. Go to https://www.caremark.com

Expected Result

I expect the "Username" field to be filled with foo@example.com and the "Password" field to be filled with three dots for the three characters of bar.

Actual Result

The "Username" field is properly filled correctly. However, the "Password" field appears empty. If I click on the "Sign In" button, I get a message saying: "Please enter your password.". And when the focus moves out of the password field, my password shows up as plain text rather than dots (i.e. I can see bar in the password field).

Environment

• Operating system: Debian 10
• Browser: Chrome 83.0.4103.116 (Official Build) (64-bit)
• Build Version: 1.45.0

Additional Context

The issue is that there is an input type="password" which is overlaid by an input type="text" which is supposed to act as a placeholder. Bitwarden set the text of the type="text" overlay. Here is the relevant HTML:

<input type="password" id="password" name="password" aria-label="Enter password" title="Enter your password" value="" class="common_properties logincommonClass" autocomplete="off" onkeypress="checkCapsLockLogin(event, true);" tabindex="0" style="[...]" data-com.bitwarden.browser.user-edited="yes" aria-describedby="passwordError">
<input type="text" id="passwordPlaceholder" aria-label="Enter Password, Passwords are case sensitive" style="[...]" name="passwordPlaceholder" title="Enter your password" value="" autocomplete="off" tabindex="0" class="common_properties logincommonClass" data-com.bitwarden.browser.user-edited="yes">

I've removed the values of the style attributes in the HTML above as they are quite long.

After the failed auto-fill, if I go into the console, I get the following results:

> document.getElementById("passwordPlaceholder").value
"bar"
> document.getElementById("password").value
""

So it looks like the placeholder overlay is set with the password.

I can work around the issue by copying and pasting the password manually.

[clayadams5226]

This is due to the way the web devs created their site. Bitwarden is looking for an id of "Password" but the CVS site has it labeled as "passwordPlaceholder". You should be able to resolve this issue by using custom fields. Create a custom field for "passwordPlaceholder" using your password and you should be all set.

[lddubeau]

@clayadams5226 Hmm... I'm not following your explanation there. If I understood your correctly, you are suggesting that the site wants passwordPlaceholder to be filled, but that it is not filled by Bitwarden and that's why the login fails. Adding a custom field named passwordPlaceholder would cause Bitwarden to fill it.

The thing is, Bitwarden is already filling the passwordPlaceholder field.

As I mentioned in the issue report:

After the failed auto-fill, if I go into the console, I get the following results:

> document.getElementById("passwordPlaceholder").value
"bar"
> document.getElementById("password").value
""

passwordPlaceholder contains "bar", and password is empty.

What did I miss?

[clayadams5226]

@lddubeau looks like you’re right. When I tested this last night the custom field worked as expected and I was able to log in. That doesn’t seem to be the case now. I’ll keep doing some more digging. Thanks for the response back.

[eliykat]

Thanks for reporting this issue. This is a known problem that affects a number of sites, and we’re working on improving this feature. To help us track and analyze affected sites, please lodge a report using the Google Form mentioned in this issue: #1621. Please also direct any discussion or questions to that issue. This issue will now be closed.