Closed Bug 1107422 Opened 5 years ago Closed 5 years ago

Stealing Firefox saved passwords


(Firefox :: Untriaged, defect)

34 Branch
Windows 7
Not set





(Reporter: balo.andras, Unassigned)



(1 file)

Attached file proof of
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141125180439

Steps to reproduce:

First we need a target site where is an XSS attack. 
After we can create an iframe with target site login page. 
Finally by using an XSS attack we easily can read Firefox saved password from the password input.

Actual results:

We could easily steal the plain password without hash cracking or using any advanced techniques. 

Some webpages aren't vulnerable by using X-Frame-Options, however there are a lot targets.

I included the proof of concept.

Expected results:

Firefox shouldn't reload the password field when we open the page with an iframe.
Chrome or IE isn't vulnerable.
Summary: Steal Firefox saved passwords → Stealing Firefox saved passwords
Wordpress is also vulnerable where is a big persistent XSS issue (on older versions).
Sadly this is a known issue, and the password manager folks consider it the site's problem that it suffers from XSS. Only save your password on sites you know don't have XSS anywhere (or toggle the pref signing.autofillForms to false). See
Group: core-security
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 359675
Also bug 786276 is relevant for addressing just the stealing-via-frame aspect (and something like that is why Chrome and IE are safe from your PoC).
the pref is signon.autofillForms isn't it?
In this case I am so sad. By Trustwave Global Security Report 82% of applications contains XSS vulnerability.

Why this vulnerability is so serious? 
*Password is the most sensitive data if we can get the password we got everything. 
*We don't have to be logged in.
*MOST people use the same username and password on a lot of websites.
*XSS is so common vulnerability and we can prevent it globally.
*This vulnerability can be fixed, XSS not.
*We even can write a robot so we don't have to prepare it for a specific website.
If I have to choose by between confort and secourity I'd choose the secourity.
You need to log in before you can comment on or make changes to this bug.