Mysterious Password pop-up

Description of the issue:
When you use the 'saved password. feature, An uncloseable persistent password pop-up appears.

Steps to Reproduce (add as many as necessary): 1. 2. 3.
Use the ‘saved password’ feature to fill in a password,then submit.
Actual Result (gifs and screenshots are welcome!):
I THINK we’re getting a (broken) pop-up to add a new password, when there isn’t a new password.
Expected result:
Feature should silently go back to sleep.
Reproduces how often:
Not really sure. Often enough to irritate me, but I don’t run around logging in and out of websites unless it’s needed. Sorry, but I’m not sure if it’s repeatable every time or not.
Brave Version(See the About Brave page in the main menu):
Version 0.60.48 Chromium: 72.0.3626.121 (Official Build) (64-bit)
Reproducible on current live release (yes/no):
Um… sorry, what live release?
Additional Information:
Hmm… LOVE your new browser, keep up the good work. As an (unrelated) bonus feature, could you have somebody go through and delete all of the dead space out of the settings page? A lot of people really HATE that feature in Chrome. A sensible settings menu would be awesome, but I think that a lot of people would be happy(er) just not having to scroll so much. :slight_smile:


also see it, but not understand why :thinking:

@crogonint. Just tried reproducing you’re issue on Windows 10 x64 - 0.60.48. When we save password for any website, after logout and login again, Manage password pop up will be shown, which is expected behaviour.

Just want to undesratnd what do you mean by broken password? are you not able to sign in website using saved password? Are you seeing manage password popup for other website, for which you’ve not saved the password?

Plese provide the additional info on broken password.


why here this notification on his screenshot in left corner?

Website have hidden form fields which capture user id and password. If you have autofill enabled without prompting, malicious websites may be able to steal your stored credentials. The pop up comes up when the form is loaded with those hidden fields and the password prompt shows up because we disable autofill by default. This is a security feature that is implemented in Brave to never autofill password.

There is nothing broken here its the website that has implemented the hidden id/password fields which Brave is stopping from autofilling it. This is more of a useful feature than problem. Hope this clears your doubt.


I didn’t say broken password, I said broken pop-up. There is no title bar and no close button = broken. The pop-up doesn’t fade away like a notice, it just sits there in front of the web page, forever.

Expected behavior by whom?? This is neither expected, or necessary. In fact, it’s downright irritating. Even if there WAS a close button, it would still force me to perform extra clicks every time I log in to a website. As it stands, I have to do a page change action of some sort just to get it off of the screen.

Obviously, [tagd0tbutl0t] doesn’t understand it’s function. I’ve seen the issue listed elsewhere, and nobody else understands its function either,they all assume it’s a glitch that you’ll repair in the next release.

This feature does not exist. You are referring to the auto sign-in feature, which does NOT have an option to prompt.

WRONG. Website password credentials are stored per website. Somebody would have to hack the internet to steal a password from the chromium password store. Specifically, they would have to hack a DNS server to serve the wrong IP address as being authoritative for a given URL. THEN they would have to hack the security certificates for the website. Then they would have to hack the webstie to replicate the expected web pages that the end user will see. Then they would have to hack in the bits to steal the password.

All for the rather small distribution area of a single DNS server. Still, even that would land you in a Federal Prison. If you wanted to hack the actual internet and hack the entire DNS system, basically every online police agency, interpol and the world in general would be dedicated to hunting you down.

Pretty sure that the result isn’t worth the effort. That’s probably why nobody has attempted it yet. Some things just aren’t worth the effort. :wink:

My example above is on THIS website! Are you tryin to say that you’re trying to steal your own end users passwords? That sounds pretty silly.

Again, the feature is called Auto sign-in, and there is no option to ask for a prompt. Note that I have auto sign-in enabled, and I’m still getting the pop-up. From you’re description, this sounds like it is NOT expected behavior.

WHAT?? That makes no sense. Are you telling me that the feature I see working does not work?

Most websites use persistent cookies for auto log-in functions. It sounds like you’re describing a duplicate function that is unnecessary.

WRONG. A persistent pop-up with no option to close it is BY DEFINITION an anti-feature.

Again, my example above is THIS WEBSITE. Are you accusing yourselves of stealing your own passwords??

WRONG. See my statements above.

Quite the opposite, now I’m concerned that not only do you not know what you’re talking about, now I’m concerned that people in charge of the Brave project might be just as clueless.

No disrespect. I still love the browser. I do want to see these issues resolved before I share it with my clients, friends and family, and recommend it to the masses however.

Furthermore, by persistently putting the username and password in the SAME PROMPT every time, you are creating the perfect conditions for a malicious add-on, website or script to inject in to said pop-up script and steal every password, every time.

The only thing left that they need to do is break the encryption (assuming that the text is being fed to the form field using encryption, otherwise they just need to sniff the injection routine). At any rate, that hack by itself has been done before, and it will be done again, it’s just a matter of time.

The only truth in encryption, is that encryption methods MUST be changed on occasion, because as long as someone CAN get their hands on an encryption key, they WILL… eventually.


Saying “no disrespect” doesn’t mean much after disrespecting someone repeatedly. Please be polite and understanding, even when you disagree. If you need to, you can review the Community posting policy guidelines here

Issue on our Github:

What it’s for:
Flag to disable: #fill-on-account-select

Really? You’re going to to chide me for picking apart a series of nonsensical statements without one shred of explanation?

Look here, I didn’t call anyone an idiot or an imbecile. I’m offering clarification and correcting statements where I can. I’ve been in the business of computer security for decades, and I take it EXTREMELY seriously. I have VERY high hopes for Brave. I honestly HOPE it dethrones Firefox. Firefox has fallen by the wayside. They NEED someone with their sh… stuff together to come along and steal their thunder. Permanently.

You guys could do that… but not like this.

IF you’re an expert on the subject, perhaps you could stop acting like a kindergarten teacher and do some actual expert clarifying to be useful.

  1. This IS a bug and an actual anti-feature. Period. As it stands, It is persistent and uncloseable. Even WITH a close button, it would still add unnecessary clicks. Best case scenario, you’re serving up passwords on a platter for someone to inject code and steal them. Just exactly HOW… HOW… does posting someones password in to a useless pop-up help ANYTHING?? WTH were they thinking? Seriously!

Jesus, give yourself some brownie points with a notification saying that you blocked a password from being auto-injected, then let the pop-up fade away after a few seconds. WHY would you post someone’s usernames and passwords in to a recurring location?

  1. HOW exactly does this pop-up prevent this imagined password threat? Given the risk of third party injection, it seems like your trying to stop the fat kid from eating too much vanilla pudding by throwing chocolate pudding at him.

  2. Who the HELL has a website with a hidden password prompt?? Is this a thing, or is this a ‘thing’… because I don’t think too many people would put up with a website hiding their login info. That sounds like some ‘Web of Things’ nonsense that only works when super-spyware oriented technology like Microsoft, Google, Amazon and Facebook get married and share enough info on end-users to pass out log in credentials. Even THEN, you have to be logged in to the original service. Nobody is pulling up discreet passwords behind the scenes without telling the end user.

Am I blunt? Yes I am. That’s the best way to be clear and concise, without creating confusion. When you’re NOT clear and concise, you end up with a persistent password pop-up that your end users have no clue what or why it’s there, and assume that it’s a glitch.

Allow me to clarify. I meant that I do not intend to show disrespect for Brave and what you’re trying to accomplish here. I have great respect, hopeand expectations of Brave. My statement had nothing to do with my replies to other peoples statements. I showed respect for them by not asking them where they got those stupid ideas, or some other underhanded form of conceit. I am fully aware that people get confused, even me. Part of having elite communication skills is seeking to clarify every tiny detail, just to be certain. What you perceive as disrespect is me whittling down the layers of the onion, so that we can lay every tid-bit out on the cutting board and have a look at it.

Now, ask yourself… WHY would this guy take all of the time to explain all of that stuff if he was just here to ‘disrespect’ everybody and everything. I wouldn’t, would I? I’m sharing all of this in an attempt to enlighten and to help you succeed. So take it all with a grain of salt and attempt to sift out the wisdom from the manure and polish what’s left, because you can’t polish a turd.

Its a public forum so lets all be civil when we talk. Being blunt is alright but it does come across as rude.

This issue has the PoC why autofill(auto-signin whatever terminology you want to use) was disabled. Please have a look at the article that is mentioned in the description of the issue.

I think the article might give you an insight as to why this is disabled in Brave and why it shows the popup on the page.

admins CALM DOWN i suggest… he is completeley right and you are wrong ! you should thank him for helping you detect such an idotic feature you have implemented! i completely agree with crogonint. i have noticed that admins attitude here is really too cocky and they dont respect users opinions…! i dont like it at all. admins you have to be more humble if this product is supposed to succeed. you just scare people away !

1 Like

Lets keep the thread only for discussing the issue at hand. If we didnt respect users opinions every thread would be closed without an answer and wouldn’t be kept open for discussion. More than happy if someone corrects me when I am wrong and happy to acknowledge it.

I don’t believe the feature is idiotic. The article is a good use case to implement the feature. There is always room to improve things and that is why the thread is still open and so is the issue linked.

Thread will be closed if it goes off topic

I will review the article to attempt to figure out just exactly what it is you’re getting at. The way you’ve described the issue (which I may not be understanding correctly) it sounds like a non-issue.

I will tell you this. The solution your devs have implemented IS effectively an ANTI-FEATURE. At the least, it needs to be re-worked. I would change the whole concept of what they are calling a solution, personally.

None the less, as I said, I’l check the link at some point this evening and reply after looking in to it.

Is there a matching ID # on U.S. Cert, or is this merely a programming vulnerability that isn’t actually classified as a threat?

Yeah, I’m calling B.S.

  1. As I mentioned in my first reply, the cookie can’t pull up the login info without permission.

  2. The login info does not necessary include an email address in the first place.

  3. If this was a real issue, years old, U.S. Cert would have issued a warning. Show me a U.S. Cert tracking number or shove off.

Ah, I see the Github issue has been revised and closed. Apparently the devs agreed.