Moolticute extension confused by manual 2FA/PIN requests - password overwritten on Mooltipass

Question

Moolticute extension confused by manual 2FA/PIN requests - password overwritten on Mooltipass

ghalfacree opened this issue 2 years ago · 0 comments

The Moolticute Firefox browser extension, and likely others, gets very confused with sites that request a manual 2FA code entry - like a number sent via SMS, or generated by a TOTP dongle, or a memorised PIN - on an interstitial page after a user/pass login.

Expected behavior

Log in to a site with Moolticute, get prompted for 2FA code, manually enter 2FA code, proceed as normal.

Actual behavior

Log in to a site with Moolticute, get prompted for 2FA code, Moolticute auto-fills the prompt with the saved password, you overwrite that with the actual 2FA code, Moolticute prompts to "update data" - and if you accept, overwrites the password on the Mooltipass with the 2FA code.

Step by step guide to reproduce the problem

Find site with manual 2FA (I've just encountered the problem with the Scottish Widows internet banking site in the UK, where I can't now log in because my password has been overwritten by three digits of 2FA code...)
Log in as normal.
Watch Moolticute incorrectly auto-fill.
Override it.
Get prompted to "update data".

Further notes

I've been either manually rejecting the "update data" prompt or allowing it to time out, but despite that my password has still been overwritten. I can't completely rule out accidentally accepting it last time I logged in, but I'm about 99 per cent sure I didn't - so I'm not sure why my password's been nuked!

Moolticute Version

v0.55.12-testing

Operating System

Ubuntu 20.04

Mooltipass Extension

Firefox

Mooltipass Device

Mooltipass Mini BLE