Password type input with auto-complete enabled

RESOLVED INVALID

Status

www.mozilla.org
General
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: Hammad, Unassigned)

Tracking

Production
x86_64
Windows 7

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303

Steps to reproduce:

When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.


Actual results:

This vulnerability affects /en-US/styleguide/websites/sandstone/forms. 
Password type input named from form with ID form-example-standard with action forms has autocomplete enabled.
Possible sensitive information disclosure.



Expected results:

The password auto-complete should be disabled in sensitive applications. 
To disable auto-complete, you may use a code similar to: 
<INPUT TYPE="password" AUTOCOMPLETE="off">
Please don't submit untested reports from vulnerability scanners. They are almost always wrong (such as this case).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Component: Untriaged → General
Product: Firefox → www.mozilla.org
Resolution: --- → INVALID
Version: 33 Branch → Production
You need to log in before you can comment on or make changes to this bug.