Closed Bug 1106677 Opened 10 years ago Closed 10 years ago

Firefox China Index page email password transferred in cleartext

Categories

(Mozilla China :: General, defect)

Product:
Mozilla China
Component:
General
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: varas, Assigned: mitchell)

References

(
URL
)

Details

Attachments

(6 files)

http request with password in cleartext from Firefox index page
15.40 KB, image/png
Details
http request with password in cleartext from Firefox index page
19.78 KB, image/png
Details
http request with password in cleartext from Firefox index page
14.84 KB, image/png
Details
http request with password in cleartext from Firefox index page
16.53 KB, image/png
Details
http request with password in cleartext from Firefox index page
16.36 KB, image/png
Details
http request with password in cleartext from Firefox index page
17.31 KB, image/png
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 Steps to reproduce: Firefox Index page(Many Firefox versions in China)-->www.huohu123.com-->Login Email Actual results: Many Email password transferred in cleartext though many Email vendors above provide https api for login. Expected results: Email password transferred in https request or something safe(Email vendors can provide safe api)
URL: http://www.huohu123.com
Component: Untriaged → New Tab Page
jlu: do you know who should get this bug? It appears to be a problem with the www.huohu123.com site, not a bug in the Firefox product but I can't find an appropriate Bugzilla component for it. I assume this is relating to the login box at the top of the page. Even if we made the form submit over https it's still not secure to have a password field on the http://www.huohu123.com site itself. But if you only worry about passive sniffing attacks (common and easy anywhere there is wifi) then fixing the form submission would be at least an improvement. There does not appear to be a secure version of https://www.huohu123.com/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jlu)
I don't have an idea in the slightest :( If this can only be fixed at the website's host/origin then we probably need a Tech Evangelist to reach out the website owner; or if there is anything Mozilla can do then we need to figure out what we'd like to do and categorize appropriately.
Flags: needinfo?(jlu)
CC'ing some folks from Mozilla Online.
(In reply to John Lu [:mnjul] [MoCoTPE] from comment #8) > I don't have an idea in the slightest :( If this can only be fixed at the > website's host/origin then we probably need a Tech Evangelist to reach out > the website owner; or if there is anything Mozilla can do then we need to > figure out what we'd like to do and categorize appropriately. This site is owned by Mozilla Online at Beijing. (In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9) > CC'ing some folks from Mozilla Online. Thanks for bring this to our attention.
Update: I just confirmed with relevant owner/developer, this email login field has been removed. Thanks!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Assignee: nobody → mitchell
Component: New Tab Page → Miscellaneous
Product: Firefox → mozilla.org
Version: unspecified → other
Group: core-security
Component: Miscellaneous → General
Product: mozilla.org → Mozilla China
Version: other → unspecified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: