Trezor passphrase being saved to password list and offered by auto fill without permission. #12563
Comments
|
cc: @darkdh @diracdeltas |
|
I'm referring to the passphrase for a particular wallet account not the mnemonic. |
|
probably related to the other password autofill changes that were in the last release, not strict site isolation. |
|
@higzac would you mind turning off strict site isolation and try again? It helps us narrow down that it is another password manager changes in the same release. |
|
There are 2 issues:
These two issues have already been there since we migrate to chromium password manager and #12489 (comment) exaggerates it upon page load because we will popup the USERNAME which about to fill to users However, I couldn't reproduce the automatically save because it will ask every time @bsclifton we might need #10566 in this milestone |
fix brave/browser-laptop#12563 Auditors: @bridiver, @diracdeltas Test plan: 1. Make sure built-in password manager is enabled 2. Male sure passphrase is set on trezor wallet 3. Plugin trezor and open wallet 4. Type passphrase and submit 5. Brave shouldn't prompt any messages to save password 1. Make sure built-in password manager is enabled 2. Sign up account for https://trac.torproject.org 3. Brave should ask users to save password, click deny 4. Logout and Login 5. Brave should ask users to save password, click allow 6. Change password 7. Brave should ask users to update password, click allow 8. Logout and use the save credentials to login 9. It should be able to login sucessfully
|
Sorry for the delay in getting back to you. Looking at what I can repeat this is what is happening Connect trezor and log into account. |
|
Test plan:
b.
|
|
Test plan B works on Windows. |
|
Test Plan B works on MacOS as well. |
|
Test Plan A works on MacOS and Windows with 0.19.132 |
|
checked on debian 8 and el capitan |
fix brave/browser-laptop#12563 Auditors: @bridiver, @diracdeltas Test plan: 1. Make sure built-in password manager is enabled 2. Male sure passphrase is set on trezor wallet 3. Plugin trezor and open wallet 4. Type passphrase and submit 5. Brave shouldn't prompt any messages to save password 1. Make sure built-in password manager is enabled 2. Sign up account for https://trac.torproject.org 3. Brave should ask users to save password, click deny 4. Logout and Login 5. Brave should ask users to save password, click allow 6. Change password 7. Brave should ask users to update password, click allow 8. Logout and use the save credentials to login 9. It should be able to login sucessfully
Description
Just upgraded to the new version. Turned on strict site isolation. Plug Trezor in and now my passphrase is available via autofill. The Trezor had been added to the saved passwords list. I didn't ok that. I deleted the pass phrase and the Trezor from the saved password list, entered it again into the Trezor and brave saved the passphrase again without asking. I've since shutdown auto fill and password management via brave.
This behavior started after the update. i'd used the Trezor multiple times today without this issue until the update was made.
Steps to Reproduce
Actual result:
Expected result:
Reproduces how often:
Brave Version
about:brave info:
Reproducible on current live release:
Additional Information
The text was updated successfully, but these errors were encountered: