Closed Bug 186072 Opened 22 years ago Closed 22 years ago

Cookies allow to access stored passwords

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 184436

People

(Reporter: npeninguy, Assigned: hewitt)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021214
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5

A website can read stored passwords using cookies.


Reproducible: Always

Steps to Reproduce:
1. rm -rf ~/.phoenix
2. go to http://www.lfmm.org/phoenix/
3. Enter login "tagada" and password "tsointsoin", check Use password manager...
4. go to http://perso.club-internet.fr/hcheli/

Actual Results:  
On the page you can read "Bonjour tsointsoin".

Expected Results:  
The site should ask your name.
Same on windows with build Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.3a) Gecko/20021207 Phoenix/0.5
I can reproduce the bug on Windows 2000, running Phoenix 0.5
OS-> ALL
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5

I can read "Bonjour tsointsoin !
Cela fait 2 fois que vous surfez sur cette page."

('tsointsouin' being the password I entered on previous site)

This is a serious security issue. Thanks to Nicolas for reporting the bug and
Laurent for re-creating the first web site so we can reproduce the bug faster.

Confirming.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Yes, dupe.

Please always try to reproduce the bug with the latest nightly before filing it.

*** This bug has been marked as a duplicate of 184436 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.