KeeFox shows 'save-password' on way too many sites

[antimatter84]

A few weeks ago, KeeFox started to show up it's "save password" popup on 70% of all visited web pages, on which I did NOT enter a password.

Examples: http://www.chefkoch.de/rezepte/1062511211550550/Haehnchen-Kohlrabi-Zucchini-Pfanne.html http://edition.cnn.com/2017/09/17/motorsport/singapore-gp-f1-rain-vettel-hamilton-verstappen-ricciardo-ferrari/index.html

[jalefkowit]

This happens to me all the time as well. Very frustrating.

[auanasgheps]

I can confirm this, it is occurring too many times. For example when I post something in XDA Forums (forum.xda-developers.com) I am prompted to save a password. And this is only the first that comes up to my mand. Avaiable to share more information where needed.

[DeepMac]

Confirmed happening for me as well on Firefox ESR 54 with KeeFox 1.7.2. It was updated 9/13/17 and I think that's when this became so frequent. I'm running KeePass 2.36. All under Win7 Ultimate 64bit.

I get this for pretty much any action that involved submitting a form, even just search forms. I saved some of the entries it wanted to create and they always seem to have a long random number for just the username, nothing else. I then looked at the source code for one of the pages that triggered it, and noticed the same number was in a script:

 <noscript><img height="1" width="1" style="display:none"
 src="https://www.facebook.com/tr?id=579216298929618&ev=PageView&noscript=1"/
 </noscript>

I do use NoScript, anyone else with this issue using NoScript? I'm wondering if this is always triggered by Facebook as well, that "?id=" seems like a likely culprit (I don't use Facebook).

[auanasgheps]

I'm not using NoScript, the issue appears every time there is a form interaction by any website. EDIT: Good news, the new WebExtension version in development does cirumvent this bug.

Alpha 8 here

Less intrusive save password interface: We always allow the user to request to save the login from the main browser popup panel but we no longer auto-display a prompt to save the login.

[jalefkowit]

I'm not using NoScript either.

For debugging purposes, here are a couple of pages that consistently trigger the "save password?" dialog for me upon page load. These are all pages on sites where I don't have any kind of user account, so there's been no manual interaction with forms on them by me or password records saved in my KeePass database.

• http://www.baltimoresun.com/news/nation-world/ct-las-vegas-shooter-motive-20171003-story.html
• https://thewirecutter.com/reviews/best-small-tv/

[DeepMac]

@jalefkowit That Baltimore page doesn't triggert it for me, but the Wirecutter page does. It ends up creating an entry (if I allow it) with, again, a random string of numbers for the username. And of the links @antimatter84 provided, the Recipe page does do it but not the motor sports page.

Doesn't appear to be related to NoScript then, and not all of these pages are calling Facebook. I'm not going to install that Alpha but it only seems to be avoiding it having to prompt to save everytime. The real issue is it's detecting form submissions that aren't there or are not user-triggered, and also mis-interprteting non-auth fields as auth fields.

[jameshfischer]

Also confirming the problem. Posted this on the keefox forum, but it is apparently abandoned. Tumbleweeds. Crickets.

So, here is a good example of what we are all talking about: https://www.newscientist.com/article/2144721-chinas-quantum-submarine-detector-could-seal-south-china-sea/

Just pulling up the website with keyfox installed produces the unexpected and undesirable behavior:

[luckyrat]

Doesn't appear to be related to NoScript then, and not all of these pages are calling Facebook. I'm not going to install that Alpha but it only seems to be avoiding it having to prompt to save everytime. The real issue is it's detecting form submissions that aren't there or are not user-triggered, and also mis-interprteting non-auth fields as auth fields.

There may well be other changes in the alpha which affect these various areas.

I have looked at all the links supplied here and none appear to detect a submission while just viewing the page using Kee 2.0.0.12.

This code sample is not really related to the NoScript Firefox add-on - it's just standard web page (HTML) code to allow different behaviour in browsers that have scripts disabled. How NoScript add-on handles that is probably highly complex and unrelated to the issues with KeeFox.

Please also see this standard message below so that anyone interested can understand if no activity occurs until next year and why at that time we may close the issue.

First, please see http://keefox.org/news/detail/2017/09/19/introducing-kee-20

The issues that affect Kee 2.0 will be different to KeeFox 1.7 and even where the same issues affect both versions, the cause will usually be different.

This issue will not be addressed here unless it is specific to Thunderbird or a serious problem affecting Firefox 52 ESR. Please get in touch privately if you find a security flaw regardless of which Mozilla application it affects to ensure a process of responsible disclosure can be followed.

If the issue is still relevant in Kee 2.0 please raise an issue in the new repository. For issues relating to the web browser add-on, or when you are not sure, please use https://github.com/kee-org/browser-addon/issues. For issues that affect the KeePass plugin (KeePassRPC) please use https://github.com/kee-org/keepassrpc/issues

I appreciate this might be disappointing for some people watching tickets involving things you feel would be great improvements or fix irritating bugs and limitations with KeeFox 1.x but I hope you'll understand that it's not wise to spend time on a version of the add-on which will cease to function in the latest version of Firefox in a month.

If you want to express an opinion or emotion relating to this comment, please use the "reaction" buttons rather than writing a new comment if possible - that will make it easier to tidy things up in 2018 so we can spend more time improving KeeFox instead of managing project admin.

If you'd like to comment or ask about the more general migration plan and reasoning for Kee 2.0, please join in the discussion at https://github.com/kee-org/browser-addon/issues/1 if there is no more specific issue or forum for discussion.

Thanks, Chris

[DeepMac]

@luckyrat, Thanks for the updates! I didn't know about Kee 2.0, and I agree this isn't an issue worth focusing on if it's in an older version. The constant pop-ups are an irritation, they don't impact functionality. Security-wise, the only concern I'd have would be if this could somehow be leveraged in combination with XSS or similar, but I doubt that'd have of a footprint to be something to worry about.

[Tarrask]

Hi, I somewhat solve or bypass this problem by installing Ghostery extension.

I guess it block the script or form that cause this problem. Hope this can help some of you.

[github-actions[bot]]

Following the recent announcement of the end of critical security patch support for this old software - https://forum.kee.pm/t/keefox-critical-security-support-ends-30th-september-2020-kee-is-unaffected/3219 - this issue has been automatically marked as stale. We will soon close this issue and then archive this repository in early October 2020.

If you think that the issue contents may still be relevant to the actively maintained Kee project, the successor of KeeFox, please search the community forum for help and post a new topic if appropriate: https://forum.kee.pm

Please do not reply to this comment / notification - it won't be seen.