Different auto-fill behavior between Firefox and Safari on citi.com

Site: https://www.citi.com/credit-cards/creditcards/CitiHome.do

Safari: this is my naked browser, the only add-in in the browser is the 1PW extension
Autofill: user ID and password is correctly obfuscated during autofill like us....me and pa....rd

Firefox: in addition to 1PW extension, Facebook Container, Privacy Badger, uBlock Origin also installed
Autofill: user ID is not obfuscated so the userid appears as username, but pa....rd is still obfuscated correctly. This fails the site log in.

I know citi.com was a challenge for your team, and I can't remember if the username ever filled correctly for me on Firefox. I had to use Safari today and realized that it was working correctly. Any idea what might be going on?


1Password Version: 7.3.1
Extension Version: 4.7.5.90
OS Version: OSX High Sierra 10.13.6
Sync Type: Dropbox

Comments

  • Hi @Superfandominatrix,

    So I tested first saving and then filling in both Safari and Firefox and for filling I was testing both of the freshly saved Login items for a total of two saves and four fills.

    The first thing to note is that a Login item saved within the browser for this site will not pick up the correct username because citi obfuscate the actual field contents. So after saving the first thing I had to do was edit the Login item and correct the username. That applied to both browsers. In both browsers though I'm not seeing a partially obscured password field, for me both browsers show a normal password field and 1Password saved the correct value for both.

    In the four fill tests, two in each browser I found consistent results across them. The username will appear partially obscured after filling but if I place focus on the field after filling I can see the full and correct username. The password continues to be fully obscured as would be expected with a normal password field.

    Can you see if the sites behaves any better or different in both browsers if you save an entirely new Login item and after saving correct the stored username. To save a new Login item in the browser I find our support page How to save a Login manually in your browser quite a handy resource if you haven't used it before.

  • @littlebobbytables

    This particular item is one of my older recorded logins, from 2015. However the login was captured way back then, right now 1PW holds the correct username and password unobfuscated like username and password, so correct.

    Yesterday, I tried to reproduce what I reported to you. Lo and behold, I could not and had planned on skulking away embarrassed :-)

    So today, I'm doing month end bill stuff, and the same issue occurred. So what had changed? In the interim I had closed Firefox and cleared cache / cookies / everything from the beginning of time. I have two different logins for citi.com domains with different user IDs. Today in this fresh browser, I am looking at a google drive sheet calculating a credit card payment, I click the 1PW Firefox extension icon, search "citi", select the correct citi.com logon, and click the "go" button. In other words, I don't have the citi.com page in browser cache and am relying on 1PW to open the webpage and fill the id. On a fresh Firefox browser, the username filled without obfuscation. I try to reproduce this morning's event, but without clearing cache, the userid fills in obfuscated.

    Does this help?

  • @littlebobbytables

    I'm going to skulk away again. Browser cache deleted again this morning, problem could not be reproduced. If I can pin down a reproducible set of circumstances where autofill does not obfuscate the userid, I will come back and post again.

  • ag_anaag_ana

    Team Member

    Thank you for the updates @Superfandominatrix! Sounds good :)

    For now, have a wonderful day then :)

  • @littlebobbytables @ag_ana thanks for your patience guys. I think I finally pinned it down and I've been able to reproduce. There is a browser difference but it's due to how each browser/add-on combo handles new tabs.

    Safari, I open the browser, click 1PW, search for citi, click "go" button, and Safari opens a new tab, then fills the credentials with correct obfuscation.

    Firefox, I'm typing this message to you in tab#3, if I click the 1PW extension icon, search for citi, click "go" button, Firefox opens a new tab, the credentials are correctly filled obfuscated.

    If I change the tab opening process the username fills incorrectly. The faulting workflow is this: I'm typing this message to you in tab#3, manually open a new blank tab, click the 1PW extension icon, search for citi, click "go" button, the user name credential fills incorrectly unobfuscated. If I come back immediately to tab#3, I can repeat both the good and faulting workflow consistently. Closed and cleared FF cache and was able to reproduce again. In Safari, even if I first manually open a blank tab, clicking "go" in the 1PW extension prompts a new tab to open which bypasses the problem I'm seeing in Firefox. No wonder I though I was going crazy :)

    Hopefully this helps. Let me know if you need any additional info on the FF browser config.

  • Hello @Superfandominatrix,

    So crucial to the above seems to be a freshly created Firefox window

    1. Either launch Firefox or create a new window either through the menu option File > New Window. My Firefox is set to open an empty tab.
    2. Use open-and-fill with a Citi Login item. How 1Password mini is accessed does not seem to matter; icon in macOS menu bar, button in Firefox toolbar or keyboard shortcut ⌥⌘\.
    3. Username is filled but visible. Clicking on the field causes the username to disappear.

    Now the next observation is I feel guaranteed to be a crucial part of the issue, keyboard focus is still on the address bar. For security reasons no extension is allowed to shift keyboard focus off of the address bar. If keyboard focus is on the page the extension can move it to any element but that's all it can do.

    If I tweak the above steps...

    1.5 Create a new empty tab. The method seems to be irrelevant e.g. Clicking the + button in Firefox, the menu option File > New Tab or keyboard shortcut ⌘T

    So despite the new empty tab looking no different to the original when I complete the rest of the steps keyboard focus is not on the address bar but in the page and everything fills correctly.

    As the extension is not allowed to shift focus away from the address bar I don't think this is something we can fix with a code change to the extension or 1Password. It's also subtle enough that I imagine Mozilla won't view this as a priority. About the only positive angle I can think of is now we better understand the state in which this happens there do appear to be easy ways to sidestep it such as if it's a new window use the ⌘T keyboard shortcut.

  • @littlebobbytables Thank you~

    If there is an issue with Mozilla / FF and 1Password extension behaviors being at cross purposes, understandable if this particular issue does not get "fixed".

    At minimum, I know what user pattern I need to change (don't manually open a new tab for citi sites) to avoid the issue.

  • brentybrenty

    Team Member

    Definitely tricky, but I'm glad that we were able to shed some light on it. If you need anything else though, be sure to let us know. I've got a long history with Citi myself. :lol:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file