Passbolt browser extension fill is not working on my website page

Installation Issues
1

Hello,

I am a developer. I have created a simple login page for one of my web page (only a password), and I stored the password in Passbolt (no username, just a URI and the password).

My problem is, when I fill the password field using the “use on this page” option in the browser extension, my page does not accept it, but when I write it myself or when I use the “copy to clipboard” option of the extension, it works.

This means that the password stored in Passbolt is correct, but somehow the extension either changes it or adds some hidden characters, when it fills the field with the “use on this page” option, that will mess with my code (I do a hashing on the raw password the user inputs, no special characters cleaning, so any additionnal character would prevent the password from matching).

Does anyone know the reason for this ? Does it come from the fact that there is no (or rather, a blank) username ?

I use Passbolt on Firefox 69.0.3.

You can find here an example page (just download the repo and follow the instructions in the README.txt, ask me if you have trouble) (cc @remy)

Thank you,
Matthieu

2

Hi @matthieu can you share the html you use for the form on your web page? We can try to investigate the issue if we can reproduce it.

3

Hi @remy,

I use a bokeh server (Python 3.7, bokeh 1.3.4), that generates automatically the page.
(i do not know if or similar are supported, i will gladly add them later if they are)
(EDIT: I messed it up, but I don’t even know how I activated it in the first places and much less how to fix it, sorry for your eyes)

Here is the source code for the generated page:
<<<

My App
(function() { var fn = function() { Bokeh.safely(function() { (function(root) { function embed_document(root) { 
              var docs_json = document.getElementById('1339').textContent;
              var render_items = [{"roots":{"1305":"bdcbe8d2-d944-487d-8866-322f9cb61dc7"},"sessionid":"2nZ73ObiRSHSNpllmYGUAv8q4BKyGp8KT3ilATZ0cA4O","use_for_title":true}];
              root.Bokeh.embed.embed_items(docs_json, render_items);
            
              }
              if (root.Bokeh !== undefined) {
                embed_document(root);
              } else {
                var attempts = 0;
                var timer = setInterval(function(root) {
                  if (root.Bokeh !== undefined) {
                    embed_document(root);
                    clearInterval(timer);
                  }
                  attempts++;
                  if (attempts > 100) {
                    console.log("Bokeh: ERROR: Unable to run BokehJS code because BokehJS library is missing");
                    clearInterval(timer);
                  }
                }, 10, root)
              }
            })(window);
          });
        };
        if (document.readyState != "loading") fn();
        else document.addEventListener("DOMContentLoaded", fn);
      })();
    </script>
>>>

I am not sure it will help, so here is the code in Python:
<<<
from bokeh.models.widgets import Div, Button
from bokeh.layouts import column
from bokeh.models.widgets.input import PasswordInput

from cryptography.hazmat.primitives.kdf.scrypt import Scrypt, InvalidKey
from cryptography.hazmat.backends import default_backend

class Login():
    """Class that adds a simple password protection to the dahsboard"""

    def __init__(self, pw_hashed, salt, callback, *cback_args, **cback_kwargs):
        """
        pw_hashed:  binary string
            This is the string that must be entered to access the dahsboard.
        salt:       binary string
            The salt used for the hashing process of the password
        callback:   function
            Function to call if the user enters the right password.
        cback_args: any
            the arguments for your callback function (e.g. "my_title")
        cback_kwargs:   any
            the named arguments for your callback function (e.g. name='Bob')
        """

        self.password = pw_hashed
        self.callback = callback
        self.cback_args = cback_args
        self.cback_kwargs = cback_kwargs
        self._backend = default_backend()
        self.salt = salt

        self.password_text = Div(text="Enter the password then press OK")

        # This is were the user inputs the password,
        # source code at https://docs.bokeh.org/en/latest/_modules/bokeh/models/widgets/inputs.html
        # Docs at https://docs.bokeh.org/en/1.3.4/docs/reference/models/widgets.inputs.html
        self.password_field = PasswordInput()


        # self.wrong_password_text = Div(text="Wrong password. Try again.")

        self.confirm_button = Button(label="OK",
            button_type="primary")
        self.confirm_button.on_click(self.verify_password)
        self.col = column(self.password_text, self.password_field,
            self.confirm_button)

    def verify_password(self, *e):
        self.kdf = Scrypt(salt=self.salt, length=32,
            n=2**14, r=8, p=1, backend=self._backend)

        try:
            self.kdf.verify(str(self.password_field.value).encode(),
                           self.password)
            self.password_text.text = "Success"
            self.callback(*self.cback_args, **self.cback_kwargs)
        except InvalidKey:
            self.password_text.text = "Invalid password"

Hope this helps.
Thank you for your responsiveness remy

P.S.: I reported this because it seemed weird to me and I did not know if it was a bug or a normal behaviour, but in any case it is not a real problem on my side (especially since the “copy to clipboard” function works alright).

4

I’m thinking there might be some issues with the autofill in the sense that if this page is generating a honey pot for bots, the autofill might fill in the reserved field. I would need the final html of the page to be sure (like after the javascript builds it), if you right click on the page that is rendered and inspect it and copy it.

Cheers,

40
Screenshot 2019-10-24 at 11.11.40.png716×383 164 KB

5

I managed to get this:

https://pastebin.com/he7usM5M
(doesn’t fit in a post here)
I doubt everything will be useful, since i believe most of this is caused by imports from my app, and not directly related to the issue here.

6

Html looks fine, no hidden fields. Which error do you get? “Invalid password” or something else?

7

Exactly, it triggers “invalid password” in my code.
And when I try to print the value in the password field, i just get a blank, even though i can see the password is inputed on the webpage and the length seems correct.

Maybe the extension tries to put in a username in front of the password ? Since a blank string, like the username, generally contains only a ‘\0’, it could explain why the print function in Python prints a blank string despite the characters behind.

EDIT: Just verified, to be sure: the string consists only of a ‘\0’ when i try to print the value of the password field

8

I’m not sure, since it’s a javascript heavy page, i’d suspect it has something to do with the way events are triggered, like a submit event is sent before value is fully present or something of the sort. If you can provide us with a demo page and a password to test, we can try to make it work. I will be hard without being able to test. Write to us at support@passbolt.com with the details if that’s an option for you.

9

In all due respect, i doubt it comes from the event triggering, since the event of reading the password in the field is made manually only, by clicking on a button.

Though, i will provide an exemple page later, hopefully it will be a bit easier to investigate since there will not be all the imports from my app. (I will edit this post when it is done.)

10

@matthieu no problem, i’m just speculating :). We got some issues in the past with javascript heavy pages: https://github.com/passbolt/passbolt_browser_extension/issues/79

Thanks for setting up a test page, that would definitely help.

11

I did some tests with the password input field:

when filling automatically using the extension, and then writing the password myself in front of the one automatically filled in (going to the first position using the home key on the keyboard – or whatever shortcut you have that brings you to the beginning of the line), the password matches. But it does not work if i try to write the password at the end of the one already in the field.

My guess is that it is indeed a ‘\0’ that is put in in front of the password, when automatically filling in the field.
However, adding a username does not seem to modify the behaviour:

  • the ‘\0’ (or whatever it is that creates the bug) remains
  • the username is ignored by the extension (which is normal, since there only is a password field)
12

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.