1118400 - [Tracking] Password Manager Security

Status: NEW

(Toolkit :: Password Manager, defect)

Description

[Tanvi Vyas[:tanvi]]

Master tracking bug for all Password Manager security issues.

Adding some existing bugs here.  Will file more and do a clean up of the below (to resolve duplicates)

759860, 534541 - Don't autofill username and password
748193 - Add a warning for insecure password fields
653132, 443345 - Secure Filling

Comment 1

[Tanvi Vyas[:tanvi]]

Bug 360493 - check the form action's hostname hasn't changed from the time you saved the password.  This was an issue with sites that reflected user generated content and allowed their users to inject <form> element.  This was fixed, adding it as a dependent here for completeness.

Comment 2

[Tanvi Vyas[:tanvi]]

Bug 1118511 - Don't autofill username and password
Bug 748193 - Add a warning for insecure password fields (in general)
Bug 1118558 - Add a warning for insecure password fields in the saved logins UI
Bug 1118540 - Secure Filling
Bug 1118549 - Encrypting passwords stored by the Password Manager
Bug 1118553 - Flag duplicate passwords in Password Manager UI 
Bug 360493 - Use the hostname of form action as part of the key when saving passwords (already done)

Comment 3

[Chris Karlof [:ckarlof]]

I'm appending this to our Password Manager 2015 tracking bug, to give people working on that visibility into what sort of security improvements we're thinking about.