Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

commsec.com.au password shown in cleartext; login fails #1178

Closed
josh-parris opened this issue Mar 20, 2020 · 2 comments
Closed

commsec.com.au password shown in cleartext; login fails #1178

josh-parris opened this issue Mar 20, 2020 · 2 comments

Comments

@josh-parris
Copy link

Commonwealth Securities, also known as CommSec, is Australia's largest online stockbroking firm operated by the Commonwealth Bank of Australia. It offers a telephone based brokerage service and advisory service, though its Internet trading platform constitutes the vast majority of its business.

CommSec have a propensity to log users out inactive users, and when you try navigating to a page that requires a current session, you end up at the login page, which is where everything falls in a heap. 

If you go to the login page, select your Bitwarden login, then Bitwarden fills in the user id successfully, and puts focus on the password field. If you tab away from the password field, the browser shows your password in greyed-out cleartext in the password field, but hitting the "login" button results in an error because there's no password. 

If you go to the login page, type anything in the password field, select your Bitwarden login, then Bitwarden fills in the user id and password successfully and puts focus on the password field. If you tab away from the password field, the browser shows your password starred-out in the password field; hitting the "login" button results in a successful login.

Problem known in Bitwarden 1.43.3 on Firefox 74.0 under Linux Mint, no other tech tested.

@absentbri
Copy link

Same issue here on Ubuntu 20.04 LTS
Chrome Version 86.0.4240.111
Bitwarden Extension Version: 1.46.2

Seems like it's filling in the Placeholder text instead of the actual password field. Does seem they have honeypot fields, the DOM is a bit of a mess, probably for security by obscuration more than anything.

@Hinton
Copy link
Member

Hinton commented Dec 16, 2021

Thanks for reporting this issue. This is a known problem that affects a number of sites, and we’re working on improving this feature. To help us track and analyze affected sites, please lodge a report using the Google Form mentioned in this issue: #1621. Please also direct any discussion or questions to that issue. This issue will now be closed.

@Hinton Hinton closed this as completed Dec 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants