Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android - Password being inserted in username field #1339

Closed
ehaynes99 mannequin opened this issue Mar 26, 2021 · 1 comment
Closed

Android - Password being inserted in username field #1339

ehaynes99 mannequin opened this issue Mar 26, 2021 · 1 comment

Comments

@ehaynes99
Copy link
Mannequin

ehaynes99 mannequin commented Mar 26, 2021

Describe the Bug

On sites with independent pages for username, password is filled for username.

Steps To Reproduce

  1. Store an amazon.com password
  2. Go to amazon.com
  3. Use "Auto-fill with Bitwarden"

Expected Result

The username is populated.

Actual Result

The password is populated.

Additional Context

While this is technically a dup of #1173, it was closed without resolution, and I would like to suggest at least removing the default behavior of inserting the password unless the field can be identified as a password field. Even if you can't detect/autofill a username field, it shouldn't just blindly insert the password in an <input type="email" field. These fields in particular tend to be leaky. E.g. they get stored in the browser's autofill, are frequently wired to JS validation (including third-party ones), and often have event handlers that fire requests to e.g. check for an SSO integration on focus lost.

However, other password managers handle this by just assuming username when it can't be determined to be a password field. While this isn't bulletproof, it generally has the desired behavior. In the event that it's wrong, I think it's still more in keeping with the principle of least surprise. E.g. Keepass has this fallback when no associated password field is present:
https://github.com/PhilippC/keepass2android/blob/fcd3cddbc7c7b9d5ea2ca34940d051e3262b6c90/src/keepass2android/services/AutofillBase/StructureParser.cs#L130

if (usernameFields.Any() == false)
{
    //for some pages with two-step login, we don't see a password field and don't display the autofill for non-manual requests. But if the user forces autofill, 
    //let's assume it is a username field:
    if (isManualRequest && !passwordFields.Any() && _editTextsWithoutHint.Count == 1)
    {
        usernameFields.Add(_editTextsWithoutHint.First());
    }
}
@eliykat
Copy link
Member

eliykat commented Apr 29, 2021

Thanks for reporting this issue. Autofill problems can affect different sites, apps, or devices, and we’re working on improving this feature. To help us track and analyze affected sites, please lodge a report using the Google Form mentioned in this issue: #1389. Please also direct any discussion or questions to that issue. This issue will now be closed.

@eliykat eliykat closed this as completed Apr 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eliykat