Report websites where Browserpass doesn't work

[maximbaz]

Please use this thread to report websites where Browserpass doesn't fully work, e.g. Browserpass is unable to fill username or password, or fills wrong form, or autosubmit doesn't work.

I'm not promising to support every single website, but I will investigate every example and if possible improve the detection logic.

I will not however add special cases for certain websites, I don't want Browserpass become a collection of broken websites on the Internet 🙂

[532910]

Autosubmit doesn't work for:
https://esia.gosuslugi.ru/
Discourse sites:
https://community.opencellid.org
https://community.letsencrypt.org
https://forum.f-droid.org

[maximbaz]

Discourse sites will unfortunately not work until they improve their markup, sadly they are not very interested in doing so: discourse/discourse#7056

[532910]

https://ticket.coreboot.org/login
Filed wrong: login goes into openid url, login field leaved unchanged

[maximbaz]

esia.gosuslugi.ru works for me, make sure to test in the latest version 😉

[532910]

I use СНИЛС login

[532910]

version 3.0.3

[maximbaz]

I don't have the right credentials so I can't really test a successful login, but I click on СНИЛС, fill it with random credentials and I see the "Войти" button becoming grey, something is refreshing, and then I get "wrong username or password" red error, so as far as I can tell auto-submit actually works? 😕 What do you see exactly? And what browser do you use?

[532910]

firefox 66.0.1-1, debian sid
it work for test record with random СНИЛС and password (I see "Введено неверное имя пользователя или пароль")
but for my credentials it just doesn't press "Войти" button

[maximbaz]

I have the same behavior for random СНИЛС and password, seems like I won't be able to reproduce because I don't have the correct credentials 😞
Injection is a bit annoying to debug, but I'll give it another try a bit later.

By the way, sadly there will be cases when autosubmit only works in Chromium but not in Firefox, because we have now an additional way of submitting forms, but Firefox doesn't support this (yet?): #55

It's still an improvement, because in v2 such forms didn't work in both Firefox and Chromium 🙂

[532910]

can reproduce for random credentials:

% pass gosuslugi.ru    
hftEv*Iv\DrNMiB+&uf<!$sd}NWRlp
user: 123-123-512 35

for is not submitted, no red alert "Введено неверное имя пользователя или пароль"

[maximbaz]

ticket.coreboot.org/login
Filed wrong: login goes into openid url, login field leaved unchanged

Fixed by #70

[maximbaz]

I tried esia.gosuslugi.ru and I can't reproduce the issue, neither in Chromium, nor in Firefox.

My exact steps:

1. Create the following password entry (includes autoSubmit for simpler repro steps):

hftEv*Iv\DrNMiB+&uf<!$sd}NWRlp
user: 123-123-512 35
autoSubmit: yes

2. Load latest Browserpass
3. Open incognito window, navigate to esia.gosuslugi.ru
4. Click СНИЛС
5. Use Browserpass

I do get a red alert about incorrect password.

[532910]

both firefox 66.0.1-1 and chromium 73.0.3683.75-1 with clean profiles are able to submit (get incorrect password error) with fake credentials that I specified, sorry.

but both do not submit my real credentials

[532910]

Looks like I've found it, try this one:

% pass gosuslugi.ru
oe`7\5IIxJ<_Rj2eYmiRs?U_"(+@Z.
user: 134–345–234 65
q: fBp8lbkYP9B82WivrxWM
a: H7wKupXuiwx0MPmhyF2M

[maximbaz]

This turned out to be a BEAUTIFUL discovery, a bug in a most unexpected location. Very happy that you gave me precise repro steps! Solved in #87 🙂

[OkanEsen]

pi.hole doesn't seem to work and doesn't return any password. If I remove the prefilled domain and type it manually into the search bar, the extension does seem to find the password.

Screenshots

[maximbaz]

This is an interesting case @OkanEsen. The reason for this behavior is because Browserpass is trying to determine where a domain name is in the string Privat/Logins/pi.hole, and it does so by using Tldjs, which knows how to search for a valid real well-known domain. In this case, .hole is not a real TLD, therefore Browserpass fails to detect this particular password entry.

@OkanEsen were the screenshots made on https://pi.hole domain, or on some other domain?

@erayd what do you think about teaching pathToDomain to also take into consideration the current domain from address bar? In other words, if you locally server a website on https://login.pi.hole and you have entries like pi.hole.gpg or login.pi.hole.gpg, they should appear in popup even though .hole is not a known TLD?

The severity is low as there is a simple workaround (hit Backspace, find pi.hole entry manually and use it to login - second time pi.hole password entry will be present in the popup), I'm curious more on your opinion if we should support this scenario or not over-engineer for this edge case.

[OkanEsen]

@OkanEsen were the screenshots made on https://pi.hole domain, or on some other domain?

Yes, that's correct and the default domain for a PiHole installation afaik.

It's not a huge deal breaker for me, though I should mention, that there are other devices in my network, which are using non-standard domains too, such as https://fritz.box etc.

Maybe it does make sense to extend the domain suggestion to non TLDs too, at least for the ones, which are specified inside a password file, such as pi.hole.gpg.

[maximbaz]

I think it's also fairly common to host local servers on non-existent domains for local development, so I also tend to vote for doing this, unless anyone can think of any security issues with doing that.

[erayd]

...to also take into consideration the current domain from address bar?

I think this is a good idea. It'll remember after the first use anyway, so it's not a big deal, but I think this will be a useful improvement to the first-use UX.

[lewisdiamond]

newegg.ca doesn't work:
Error: TypeError: Cannot read property 'filledFields' of null

[maximbaz]

Nice one, will be fixed by #110, thanks for reporting!

[Tycho-S]

Autosubmit doesn't work on my work's Identity Provider (PingID) with the new version. With the old (2.x) it did work. Tested both on Chrome and Firefox, on Mac. Autosubmit is switched on and works on other sites.

It's hard to give a direct link as it's only meant to be called from another site. But if you go to https://spiceportal.se.com you should be redirected to it. You won't be able to get in, but you should be able to see the form.

[mithodin]

https://ebay-kleinanzeigen.de also has Error: TypeError: Cannot read property 'filledFields' of null

[maximbaz]

Thanks as usual 🙂

https://www.itead.cc/
https://www.ozon.ru/

These two show similar behavior but I currently have no good ideas how they could be solved without breaking a lot of other websites, their markup violates our core assumption that if website developers know what a <form> tag is, they would at least use it for login form - so we have some fallback logic that just takes any available form, and on these websites it turns out to be the search form... Unless I come up with something clever, they will have to be supported by #195

https://www.doncamillo-saarbruecken.de/

This one is so silly we can't support it, they change the field type on click via javascript, so until a user clicks on the field it is truly a non-interesting regular text field where passwords most certainly should not be inserted... 😄

[532910]

https://bill.nevalink.net
login and password are filled, but not submitted

[532910]

https://zadarma.com/en/
Error: Error: No fillable forms available for fields: login, secret

[532910]

https://www.voip-info.org
login and password are filled, but not submitted

[equaeghe]

https://orcid.org/signin

Password is filled, but username is not.

• Username field:

  <input _ngcontent-xov-c94="" matinput="" formcontrolname="username" apptrim="" class="mat-input-element mat-form-field-autofill-control ng-tns-c80-2 cdk-text-field-autofill-monitored ng-pristine ng-valid ng-touched" id="mat-input-0" aria-describedby="mat-hint-0" aria-invalid="false" aria-required="false">
  

• Password field:

  <input _ngcontent-xov-c94="" matinput="" formcontrolname="password" type="password" class="mat-input-element mat-form-field-autofill-control ng-tns-c80-3 cdk-text-field-autofill-monitored ng-pristine ng-valid ng-touched" id="mat-input-1" aria-invalid="false" aria-required="false">
  

[532910]

RouterOS router webfig login page
login and password are filled, but not submitted

It could be tested online: http://demo.mt.lv/webfig/

[erayd]

Thanks @532910. Will investigate why this is, as fill + enter does work, so it seems odd that autosubmit doesn't.

As it happens, I use Browserpass to log in to RouterOS on a daily basis, and @maximbaz also has a router that runs it. So we don't need the online demo to test with. But I do appreciate that you linked it for us - thank you!

[erayd]

@532910 I've investigated, and it seems the RouterOS webfig login page doesn't actually contain a form at all. The fields are simply input fields in a table, and the login button isn't actually a button at all, but merely a styled link with a javascript click handler attached to it.

There's no way that Browserpass should ever be auto-submitting something like that sorry. However, autofill + pressing enter does work just fine.

[532910]

Thank you for investigation

[DamienCassou]

It seems that browserpass can't find the submit button in https://app.nalo.fr/components/auth/#/login.

[morciej]

This is using Ver. 3.7.2 in Firefox 87.0

Filling a modal html form doesn't work for local addresses like 192.168.X.XXX. I make sure to name containing folder to 192.168.X.XXX.

It is easy to be deceived by the browser filling out the credentials from history. In order to reproduce, make sure to delete history for the server.

[morciej]

Again, Ver. 3.7.2 in Firefox 87.0
On https://www.fido.ca/profile/signin, as well as https://www.airbnb.ca, browserpass fails to find any fillable elements. But when the site is displayed with no style, it finds them, and once reverted to basic page style, it keeps finding them (in the same session only).

First time only, I get a complaint window, saying "javascript application, form origin is supposed to be www.fido.ca (or www.airbnb.ca) but it is www.google.com. Then I say OK, and I get the ebove error.

[DamienCassou]

Doesn't work on: https://espacepro.cmb.fr/auth/login

[maximbaz]

Thank you for posting these 👍

• can't find the submit button in https://app.nalo.fr/components/auth/#/login.
• https://www.fido.ca/profile/signin
• https://www.airbnb.ca

The case here is that markup is weird, the fields which Browserpass doesn't find are simply not passing sanity check. In the first case it's unidentifiable login button (we avoid pressing a random button after putting credentials on the page), in the latter two cases it's just bad markup, login fields are actually made invisible with CSS and what you see on the page is divs drawn to look as fields... So browserpass doesn't treat those invisible fields as a real login form.

My best suggestion is to get those supported via #195

Filling a modal html form doesn't work for local addresses like 192.168.X.XXX

This I could not actually reproduce, or I misunderstood the issue. If I go to an IP address and it contains a html login form, and I have in my password store an entry called <ip-addr>.gpg, it will be discovered by Browserpass, and I would see it in popup.

If it's a modal HTTP form (a popup that browser shows, which prevents you from interacting with browser until you submit or cancel this popup), make sure to look at this section of the docs, for example you must open such page from within Browserpass for it to be able to provide the credentials.

Doesn't work on: https://espacepro.cmb.fr/auth/login

At the moment the root cause is #73, didn't research if their markup is good otherwise.

[jbalme]

https://my.wealthsimple.com/app/login?locale=en-ca

[paulperegud]

https://www.centrum24.pl/

EDIT: this is definitely a case for #74, custom selectors specified in pass entries.

[meskes]

Trip Actions seems to do some non-standard stuff, at least I cannot get browserpass to fill in my details: https://app.tripactions.com/app/user2/auth

[aventrax]

@tomclark Home Assistant is really annoying for me.

Any update? Home assistant has no "name" property in the input fields so I tried to add them but nothing changed. Where is the issue?

[532910]

ikea.com
login and password are filled, but not submitted

[a20caa6e-0bcb-11ec-b174-db94a7bb8a28]

On
https://demo.jorani.org/session/login
only the username is completed, but not the password.

[disketten]

On
https://www.jollyroom.dk/mine-sider/log-ind
only "password" is completed, not "username". The "username" field is called "email" in the html.

[532910]

browserpass successfully fills username and password for openwrt's luci but doesn't automatically submit form after this

[ralozkolya]

On
https://ibank.bog.ge/
It throws this error:

Error: Error: No fillable forms available for fields: login, secret

[532910]

I can give my Home Assistant public address of for @maximbaz or @erayd for investigation, but would not like to publish it here.

[Hate9]

Sites using Authentik (https://goauthentik.io/) don't work.

[fuu0]

GLS Onlinebanking is broken:
https://www.gls-online-filiale.de/services_cloud/portal
only "password" is completed, not "username" - html Field for username is html element "vrNetKey"

Is there a way to add a Element to USERNAME_FIELDS in a variable per pass entry? so i can add user: and userfield: vrNetKey in my passstore...

[timonegk]

Field for username is html element "vrNetKey"

"vrNetKey" is also used by other German banks, e.g. Volksbank and Sparda-Bank:
https://www.sparda-h.de/services_cloud/portal/login
https://www.sparda-bank-hamburg.de/services_cloud/portal/portal-oauth/login
https://www.hamburger-volksbank.de/services_cloud/portal
https://www.volksbank-eg.de/services_cloud/portal/
https://www.berliner-volksbank.de/services_cloud/portal/

[erayd]

Instagram (see #323)

[BastienDurel]

On
https://www.borgbase.com/login

Error: Error: No fillable forms available for fields: login, secret

[foxyseta]

On https://www.interrail.eu/en/login#/login, the username field (email) is filled in properly, but the password is ignored. I could not see any output from the extension on the developer console. Am I supposed to be looking somewhere else?