Closed Bug 1166235 Opened 10 years ago Closed 10 years ago

Security bug on Zimbra. Password revealed

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
41 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: xavier.delgado, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20150518030202 Steps to reproduce: Have an email account. Go to zimbra home page https://zimbra.free.fr/ Click login Actual results: Password is displayed as proposition of filling Expected results: login should have been proposed.
No problem with Chrome. It fills login and password, but doesn't reveal password.
Severity: normal → critical
Mentor: alexandra.lucinet
Works too on IE.
Matt, can you take a look?
Mentor: alexandra.lucinet
Flags: needinfo?(MattN+bmo)
I can't reproduce with Release (38) or Nightly (41), on Mac anyway. Shouldn't be any different on Windows 8.1 but I didn't test there. I don't have an actual account but I saved a username and password for the site in the password manager. When I return to the site the username and password are correctly filled in, and when I click submit they are sent to the site without showing the password in plain text. What do you mean "works" on IE? the bug you're describing works (i.e. broken behavior) or the site is behaving correctly like Chrome? It's possible the site itself is doing something odd when you have an actual account, but that's hard to believe. It would be unsafe to do password checking on the client side, and I saw my incorrect password sent to the site before receiving the error message back. What add-ons do you have, if any? If you open the page about:support (or Troubleshooting Information on the Help menu) you can copy the "Extensions" block into this bug.
Flags: needinfo?(xavier.delgado)
"works" in IE means that it's like in Chrome. Login and passwd are filled automatically on IE as in Chrome. I went again on Nightly. Now, I can't have access to my mails. By the way, I have to be more accurate. Password appears on login textfield when you double-click on login. Add-ons enabled: Adblock Plus 2.6.9 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Nightly Tester Tools 3.7 true {8620c15f-30dc-4dba-a131-7c5d20cf4a29} McAfee Security Scan Plus 1.0 false {e4f94d1e-2f53-401e-8885-681602c0ddd8}
Flags: needinfo?(xavier.delgado)
Where are you seeing the password revealed? In an autocomplete dropdown? Below which field? Could you provide some more details: 1) Attach the log from https://wiki.mozilla.org/Firefox:Password_Manager_Debugging. Please clear the log just before you're going to reproduce the problem. 2) Look in the password manager window: Preferences/Settings => Security => Saved Passwords… and tell me what you see there when you filter for free.fr. Specifically, what is in the username and password fields (click the Show Passwords) button. 3) I'm wondering if you're seeing your password in form history (instead of the password manager). Can you run the following code in the Browser Console[1] (not Web Console) and see if your password gets displayed on a line starting with "Form History"? var fac = Cc['@mozilla.org/satchel/form-autocomplete;1'].getService(Ci.nsIFormAutoComplete); var searchResult = fac.autoCompleteSearch("login", "", null, null) for (let i = 0; i < searchResult.matchCount; i++) { console.log("Form History", i, searchResult.getValueAt(i)); }
Flags: needinfo?(MattN+bmo) → needinfo?(xavier.delgado)
In saved passwords, I see 3 good passwords, but usernames are 3 times my email: xavier.delgado@free.fr By the way: My username in zimbra is xavier.delgado. Not xavier.delgado@free.fr Now, it works. But it fills automatically xavier.delgado@free.fr instead of xavier.delgado. I've just re-installed Nightly few days ago. In Web Console, not Browser Console, I did var fac = Cc['@mozilla.org/satchel/form-autocomplete;1'].getService(Ci.nsIFormAutoComplete); var searchResult = fac.autoCompleteSearch("login", "", null, null) for (let i = 0; i < searchResult.matchCount; i++) { console.log("Form History", i, searchResult.getValueAt(i)); } ReferenceError: Cc is not defined Tell me if you want more informations. (I couldn't put code in Browser Console)
Flags: needinfo?(xavier.delgado)
Which websites were the 3 logins for (including http or https)? Are you sure that the full email address doesn't work as your username? Did you ever submit and save the login with your username? I still don't understand why you think this is a security bug as you didn't answer my first question: > Where were you seeing the password revealed? In an autocomplete dropdown? Below which field? Oops, I forgot to link to [1] which tells you about the pref devtools.chrome.enabled which can be set to true in about:config to allow typing in the Browser Console. Can you try it again there? [1] https://developer.mozilla.org/en-US/docs/Tools/Browser_Console#Browser_Console_command_line
URL: https://zimbra.free.fr/
Flags: needinfo?(xavier.delgado)
> I still don't understand why you think this is a security bug as you didn't answer my first question: >> Where were you seeing the password revealed? In an autocomplete dropdown? Below which field? Password was in an autocomplete dropdown in login field. Security remains that if I've been hacked, the hacker could have seen my password, even if there is few probabilities. >Which websites were the 3 logins for (including http or https)? Are you sure that the full email >address doesn't work as your username? Did you ever submit and save the login with your username? Actually, I've got a dozen of usernames with my email. It's possible that I did a mistake, for zimbra. I changed it. Now it works. It just needs xavier.delgado. Not xavier.delgado@free.fr > Oops, I forgot to link to [1] which tells you about the pref devtools.chrome.enabled which can be > set to true in about:config to allow typing in the Browser Console. Can you try it again there? I couldn't find that. If you want more details, could you do a step by step "How to"? Like us, QA, when we submit you a bug. Thank you very much. As it works now is it still a bug?
Flags: needinfo?(xavier.delgado)
I talked to Xavier on IRC and he can't reproduce the problem in a new profile and I believe he said he deleted the old profile so there isn't anything more we can do. I'm ~99% sure this wasn't caused by Firefox itself though.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
To be more accurate, i've not only changed profile. I've deleted and reinstalled Nightly, to be in the same conditions than when the bug appeared. As Matthew said, bug isn't reproducible.
You need to log in before you can comment on or make changes to this bug.