Report websites where Browserpass doesn't work

[maximbaz]

Please use this thread to report websites where Browserpass doesn't fully work, e.g. Browserpass is unable to fill username or password, or fills wrong form, or autosubmit doesn't work.

I'm not promising to support every single website, but I will investigate every example and if possible improve the detection logic.

I will not however add special cases for certain websites, I don't want Browserpass become a collection of broken websites on the Internet 🙂

[532910]

Autosubmit doesn't work for: https://esia.gosuslugi.ru/ Discourse sites: https://community.opencellid.org https://community.letsencrypt.org https://forum.f-droid.org

[maximbaz]

Discourse sites will unfortunately not work until they improve their markup, sadly they are not very interested in doing so: https://github.com/discourse/discourse/pull/7056

[532910]

https://ticket.coreboot.org/login Filed wrong: login goes into openid url, login field leaved unchanged

[maximbaz]

esia.gosuslugi.ru works for me, make sure to test in the latest version 😉

[532910]

I use СНИЛС login

[532910]

version 3.0.3

[maximbaz]

I don't have the right credentials so I can't really test a successful login, but I click on СНИЛС, fill it with random credentials and I see the "Войти" button becoming grey, something is refreshing, and then I get "wrong username or password" red error, so as far as I can tell auto-submit actually works? 😕 What do you see exactly? And what browser do you use?

[532910]

firefox 66.0.1-1, debian sid it work for test record with random СНИЛС and password (I see "Введено неверное имя пользователя или пароль") but for my credentials it just doesn't press "Войти" button

[maximbaz]

I have the same behavior for random СНИЛС and password, seems like I won't be able to reproduce because I don't have the correct credentials 😞 Injection is a bit annoying to debug, but I'll give it another try a bit later.

By the way, sadly there will be cases when autosubmit only works in Chromium but not in Firefox, because we have now an additional way of submitting forms, but Firefox doesn't support this (yet?): https://github.com/browserpass/browserpass-extension/pull/55

It's still an improvement, because in v2 such forms didn't work in both Firefox and Chromium 🙂

[532910]

can reproduce for random credentials:

% pass gosuslugi.ru    
hftEv*Iv\DrNMiB+&uf<!$sd}NWRlp
user: 123-123-512 35

for is not submitted, no red alert "Введено неверное имя пользователя или пароль"

[maximbaz]

ticket.coreboot.org/login Filed wrong: login goes into openid url, login field leaved unchanged

Fixed by #70

[maximbaz]

I tried esia.gosuslugi.ru and I can't reproduce the issue, neither in Chromium, nor in Firefox.

My exact steps:

1. Create the following password entry (includes autoSubmit for simpler repro steps):

hftEv*Iv\DrNMiB+&uf<!$sd}NWRlp
user: 123-123-512 35
autoSubmit: yes

2. Load latest Browserpass
3. Open incognito window, navigate to esia.gosuslugi.ru
4. Click СНИЛС
5. Use Browserpass

I do get a red alert about incorrect password.

[532910]

both firefox 66.0.1-1 and chromium 73.0.3683.75-1 with clean profiles are able to submit (get incorrect password error) with fake credentials that I specified, sorry.

but both do not submit my real credentials

[532910]

Looks like I've found it, try this one:

% pass gosuslugi.ru
oe`7\5IIxJ<_Rj2eYmiRs?U_"(+@Z.
user: 134–345–234 65
q: fBp8lbkYP9B82WivrxWM
a: H7wKupXuiwx0MPmhyF2M

[maximbaz]

This turned out to be a BEAUTIFUL discovery, a bug in a most unexpected location. Very happy that you gave me precise repro steps! Solved in #87 🙂

[OkanEsen]

pi.hole doesn't seem to work and doesn't return any password. If I remove the prefilled domain and type it manually into the search bar, the extension does seem to find the password.

Screenshots

 

[maximbaz]

This is an interesting case @OkanEsen. The reason for this behavior is because Browserpass is trying to determine where a domain name is in the string Privat/Logins/pi.hole, and it does so by using Tldjs, which knows how to search for a valid real well-known domain. In this case, .hole is not a real TLD, therefore Browserpass fails to detect this particular password entry.

@OkanEsen were the screenshots made on https://pi.hole domain, or on some other domain?

@erayd what do you think about teaching pathToDomain to also take into consideration the current domain from address bar? In other words, if you locally server a website on https://login.pi.hole and you have entries like pi.hole.gpg or login.pi.hole.gpg, they should appear in popup even though .hole is not a known TLD?

The severity is low as there is a simple workaround (hit Backspace, find pi.hole entry manually and use it to login - second time pi.hole password entry will be present in the popup), I'm curious more on your opinion if we should support this scenario or not over-engineer for this edge case.

[OkanEsen]

@OkanEsen were the screenshots made on https://pi.hole domain, or on some other domain?

Yes, that's correct and the default domain for a PiHole installation afaik.

It's not a huge deal breaker for me, though I should mention, that there are other devices in my network, which are using non-standard domains too, such as https://fritz.box etc.

Maybe it does make sense to extend the domain suggestion to non TLDs too, at least for the ones, which are specified inside a password file, such as pi.hole.gpg.

[maximbaz]

I think it's also fairly common to host local servers on non-existent domains for local development, so I also tend to vote for doing this, unless anyone can think of any security issues with doing that.

[erayd]

...to also take into consideration the current domain from address bar?

I think this is a good idea. It'll remember after the first use anyway, so it's not a big deal, but I think this will be a useful improvement to the first-use UX.

[lewisdiamond]

newegg.ca doesn't work: Error: TypeError: Cannot read property 'filledFields' of null

[maximbaz]

Nice one, will be fixed by https://github.com/browserpass/browserpass-extension/pull/110, thanks for reporting!

[Tycho-S]

Autosubmit doesn't work on my work's Identity Provider (PingID) with the new version. With the old (2.x) it did work. Tested both on Chrome and Firefox, on Mac. Autosubmit is switched on and works on other sites.

It's hard to give a direct link as it's only meant to be called from another site. But if you go to https://spiceportal.se.com you should be redirected to it. You won't be able to get in, but you should be able to see the form.

[mithodin]

https://ebay-kleinanzeigen.de also has Error: TypeError: Cannot read property 'filledFields' of null

[maximbaz]

OK I'll prioritize releasing a bugfix release 👍

[maximbaz]

3.0.11 is out with the fix for the TypeError above.

[maximbaz]

@TychoSchenkeveld I checked the website you posted above, sadly that website is no longer supported unless you can get ahold of its developers and convince them to improve HTML markup.

Currently the "Sign on" button is not even a <button> (let alone [type=submit] as it should be), but is also not identifiable as a login button, it has no ID or class or name that would say something like "login" (title is usually localized, thus we don't take it into account).

The reason it worked in v2 is because back then we also attempted to submit the form itself, however unfortunately this action broke many popular websites like AWS (see https://github.com/browserpass/browserpass-legacy/issues/217#issuecomment-429671923).

I am surprised that auto-submit doesn't work in Chromium though, because v3 is also attempting to trigger and Enter keypress, which does submit the form on AWS for example, but for some reason has no effect on this page. Not sure yet if this is something we can improve, or the website is trying to detect and ignore fake Enter keypresses...

[Tycho-S]

@TychoSchenkeveld I checked the website you posted above, sadly that website is no longer supported unless you can get ahold of its developers and convince them to improve HTML markup.

Thanks, I was afraid of that... I know this site isn't the best. I don't think I can convince them to change it. It's a big identity service, we're not the only ones using it.

The reason it worked in v2 is because back then we also attempted to submit the form itself, however unfortunately this action broke many popular websites like AWS (see browserpass/browserpass-legacy#217 (comment)).

Ah I see, I think this was also why it didn't work with Steam, it would submit there but not actually login. Also with Arstechnica. Didn't test those with v3 yet actually. Thanks for looking into that!

I am surprised that auto-submit doesn't work in Chromium though, because v3 is also attempting to trigger and Enter keypress, which does submit the form on AWS for example, but for some reason has no effect on this page. Not sure yet if this is something we can improve, or the website is trying to detect and ignore fake Enter keypresses...

Ah too bad, I was going to suggest that. I didn't realise you were already trying that. Yes indeed, it's very strange, I already noticed that when I press enter myself it works. It could very well be doing this. Too bad, I use this site a lot. It's supposed to use SSO (Kerberos) tickets but on Mac this doesn't work so it challenges me with logins every time. But you're right, their form leaves a lot to be desired.

[meskes]

ox.credativ.com works nicely on firefox but with chromium it hangs on "Filling login details..."

[maximbaz]

This is an interesting example, it is caused by a bug in Chromium, others have stumbled upon it too.

I have found a workaround to circumvent such websites. You might notice that the filling will be a bit slow on this website, it is because the workaround is simply an "abort" call if "Filling login details" hangs for too long, but it's better than nothing.

Will be part of the next release.

[meskes]

Thanks a lot. What causes this? There does not seem to be an adsbygoogle block on that website.

[maximbaz]

I'm not exactly sure what causes it, but the symptoms are reproducible 100%.

Here's the iframe that causes Chromium to hang on ox.credativ.com:

Maybe it's because it's hidden, or because its source is set to javascript:false, it's hard to say for sure. Sadly we can't decide which frames we want or don't want to inject into, it's all or nothing, but hopefully the workaround I have in mind is sufficient and won't cause troubles for anyone else.

[DamienCassou]

https://launchpad.37signals.com/signin (more details at https://github.com/browserpass/browserpass-extension/issues/134)

[532910]

https://login.aliexpress.com/ sometimes it works, sometime it says: Error: Error: Unable to inject script in the top frame

[maximbaz]

I can't repro the error on Aliexpress, could you identify what is different when the fill fails? Different browsers? Different logins?

[532910]

same browser, same login, different tries

[maximbaz]

In this case it could simply mean injection is happening very slowly on your computer, we have a timeout set to 1000 ms, but it was set almost arbitrarily - could you play with this constant and tell me if setting it to larger value helps, as well as what is the smallest value where you can't reproduce the issue anymore? I'm not looking for a precise value like 1347 ms, more like if it is on a level of 1500, 2000, 2500, etc.

https://github.com/browserpass/browserpass-extension/blob/6c1208b77a502da313dae98638775ec242eb6e2a/src/background.js#L332

[sapolsky]

khanacademy.org - fills only password but not username

If I understand correctly, the site doesn't use proper HTML markup on purpose (safety?). They are not the only ones.

for khanacademy.org "Email or username" field: form class="_123zd8nNaN" input class="_2a3kdy" placeholder="" type="text" id="uid-identity-text-field-2-email-or-username" data-test-id="identifier" value="" data-_extension-text-contrast=""

I know you don't want to add hacks for every such site. But perhaps [feature request] we could add funny field names to our pass-store files like we do with "login: adam.smith@whatever.com". In case of khanacademy - "uid-identity-text-field-2-email-or-username: "

[erayd]

@maximbaz I remember we talked this over a while back and decided against custom selectors in password files. I don't remember why though - do you?

[maximbaz]

khanacademy.org - fills only password but not username

Thanks for reporting!

If I understand correctly, the site doesn't use proper HTML markup on purpose (safety?).

There's no safety in using improper HTML markup 🙂 In this particular case, they put login and password fields in different <form>s, which is very unusual - we intentionally don't fill other forms if we found a form that contains password field, to prevent accidentally leaking your credentials.

If you feel strongly about this, I recommend contacting them via support and asking to make their login form more password-manager friendly, feel free to include me in the discussion if it is public, I'd be happy to assist them if necessary, clarify questions, etc.

They are not the only ones.

Please report them all in this ticket 😉 Even though we might not be able to support all of them, we do learn and improve based on some examples people post here!

But perhaps [feature request] we could add funny field names to our pass-store files like we do with "login: adam.smith@whatever.com". In case of khanacademy - "uid-identity-text-field-2-email-or-username: "

I remember we talked this over a while back and decided against custom selectors in password files. I don't remember why though - do you?

Yeah such feature request already exists (#74), we haven't posted yay or nay in there yet, but it is true that we have discussed it, and tending against supporting that feature. Apart from a few non-compliant websites, people also want to use that feature for different reason, e.g. to support "account" field (as on AWS) or credit card fields; and in all cases it feels wrong to force each user to repeat the same work and come up with selectors to different websites (which are identical for everyone on AWS for the account field, but at the same time different for credit cards on every single website), and to maintain those selectors when websites change. I think we will be able to come up with better solutions to all these scenarios than implementing custom selectors.

But anyway, let's leave this feature request aside for the moment, I'll start the discussion in #74 after I cleanup my schedule a little bit, for now you can subscribe to that ticket, contact khanacademy and post here more examples where autofill doesn't work as expected so I can have a look (if you want) 😉 Thanks!

[532910]

Error: Error: Unable to inject script in the top frame on aliexpress happens when firefox shows page loading indicator. If I stop loading with Esc and ask Browserpass to fill credentials it works fine.

[erayd]

@532910 That sounds like you're trying to fill the login prior to the page being ready. If you let the page finish loading, it should work correctly.

Is there a reason you are trying to fill the login before the page has loaded?

[532910]

As sometimes complete page loading takes so long as I even can't say will it be ever loaded. (I suppose this is aliexpress issues or my flashblock.) But page looks loaded (except progress indicator) when I press Browserpass button.

[532910]

Is it possible to automatically stop page loading when I press Browserpass button?

[erayd]

@532910 Gotcha, that makes sense.

Is it possible to automatically stop page loading when I press Browserpass button?

I'll need to do some investigating, but my suspicion is that this will be a bad idea. Some sites still use long-polling for fetching data rather than more modern methods (e.g. websockets), and if we kill the page load when browserpass is triggered, we'll also kill those connections, which is problematic.

[532910]

https://accounts.firefox.com/signin (The page is fully loaded) Error: Error: Unable to inject script in the top frame

[maximbaz]

Regarding the "Unable to inject script in the top frame" error, have you been able to try out my suggestion to increase the wait constant? We can try to make it better by increasing the value if it proves to help, but in general I think there's no better solution, we either have to hang Browserpass and wait until browser finishes loading the page (potentially minutes), or do what we do now and cancel the attempt on timeout... 🤔

[savyajha]

The website sbicard.com doesn't work with Browserpass. If I fill in the details manually and hit enter, it works, but if browserpass does the filling it tells me the user/pass combo is wrong.

By the name of the site, I hope that you understand my inability to provide you with a username/password for testing purposes. :)

[maximbaz]

On the first glance I don't see an obvious place where the issue might be, let's double check some details:

• Is this the login page you use? https://www.sbicard.com/creditcards/app/user/login
• Do you have autoSubmit enabled?
• What happens if Browserpass fills the form, but you manually press "Login" button?

[532910]

Regarding the "Unable to inject script in the top frame" error, have you been able to try out my suggestion to increase the wait constant?

Sorry, no. Is it possible to load browserpass-extension without makeing it? (I'd not like to install yarn and node.) Could you try to fill https://accounts.firefox.com/signin with any credentials. This issue is reproducable on firefox 67.0.4 with even a clean profile. (Chromium works fine.)