Firefox China Index page email password transferred in cleartext

RESOLVED FIXED

Status

mozilla.org
Miscellaneous
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: varas, Assigned: Mitchell Baker)

Tracking

Details

(URL)

Attachments

(6 attachments)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

Steps to reproduce:

Firefox Index page(Many Firefox versions in China)-->www.huohu123.com-->Login Email


Actual results:

Many Email password transferred in cleartext  though many Email vendors above provide https api for login.


Expected results:

Email password transferred in https request or something safe(Email vendors can provide safe api)
(Reporter)

Updated

3 years ago
Component: Untriaged → New Tab Page
(Reporter)

Comment 1

3 years ago
Created attachment 8531061 [details]
http request with password in cleartext from Firefox index page
(Reporter)

Comment 2

3 years ago
Created attachment 8531062 [details]
http request with password in cleartext from Firefox index page
(Reporter)

Comment 3

3 years ago
Created attachment 8531063 [details]
http request with password in cleartext from Firefox index page
(Reporter)

Comment 4

3 years ago
Created attachment 8531064 [details]
http request with password in cleartext from Firefox index page
(Reporter)

Comment 5

3 years ago
Created attachment 8531065 [details]
http request with password in cleartext from Firefox index page
(Reporter)

Comment 6

3 years ago
Created attachment 8531066 [details]
http request with password in cleartext from Firefox index page
jlu: do you know who should get this bug? It appears to be a problem with the www.huohu123.com site, not a bug in the Firefox product but I can't find an appropriate Bugzilla component for it.

I assume this is relating to the login box at the top of the page. Even if we made the form submit over https it's still not secure to have a password field on the http://www.huohu123.com site itself. But if you only worry about passive sniffing attacks (common and easy anywhere there is wifi) then fixing the form submission would be at least an improvement.

There does not appear to be a secure version of https://www.huohu123.com/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jlu)
I don't have an idea in the slightest :( If this can only be fixed at the website's host/origin then we probably need a Tech Evangelist to reach out the website owner; or if there is anything Mozilla can do then we need to figure out what we'd like to do and categorize appropriately.
Flags: needinfo?(jlu)
CC'ing some folks from Mozilla Online.
(In reply to John Lu [:mnjul] [MoCoTPE] from comment #8)
> I don't have an idea in the slightest :( If this can only be fixed at the
> website's host/origin then we probably need a Tech Evangelist to reach out
> the website owner; or if there is anything Mozilla can do then we need to
> figure out what we'd like to do and categorize appropriately.

This site is owned by Mozilla Online at Beijing.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
> CC'ing some folks from Mozilla Online.

Thanks for bring this to our attention.
Update: I just confirmed with relevant owner/developer, this email login field has been removed. Thanks!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Assignee: nobody → mitchell
Component: New Tab Page → Miscellaneous
Product: Firefox → mozilla.org
Version: unspecified → other
Group: core-security
You need to log in before you can comment on or make changes to this bug.