1247245 - Firefox should not autofill passwords when the form fields are invisible

Status: NEW

(Toolkit :: Password Manager, defect, P3)

Description

[BoffinBrain]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160208194709

Steps to reproduce:

Firefox will happily detect forms containing text fields and password fields and autofill them if there is a password saved for the site, even if those fields aren't visible. This can result in accidental disclosure of credentials if Firefox guesses incorrectly (which is another bug I'm going to file) or if the page is maliciously designed to steal passwords.



Expected results:

When Firefox is looking at the fields of a form, if the candidate fields for username/password are hidden, do not autofill them, but allow the user to pick from the autocomplete list if they become visible later.

Comment 1

[Graham Perrin]

<https://github.com/MrAlex94/Waterfox/issues/352> draws attention to this bug in the context of: 

Flaw In Major Browsers Allows 3rd-Party Scripts to Steal Your Saved Passwords
<https://thehackernews.com/2018/01/browser-password-managers.html>

Comment 2

[kai.unger]

Proof of concept here: https://senglehardt.com/demo/no_boundaries/loginmanager/index.html

Comment 3

[bugzilla_mozilla]

Detecting if the form is "invisible" is not feasible. There are thousands of ways to effectively make forms invisible:
- style="display: none"
- style="position: absolute: left: -1000"
- style="width:0; height:0; overflow:hidden"
- display another element ontop of it (using z-index)
- setting all colors to the same colors as the environment of the form
- ...

Another problem is that all these properties are not static. A script could create a visible form, wait until it gets filled, copy the credentials, and then delete or hide the form. This can happen within milliseconds and the user would not even notice it.

The solution cannot be to detect whether the form is invisible or not.
The solution must be that Firefox only fills the form once the user interacted (clicked/focused) it.
Thus, the solution is simple. Change the default of signon.autofillForms to false:

signon.autofillForms = false

For the time being, you can do so yourself using about:config.

Comment 6

[Matthew N. [:MattN]]

We can maybe use Intersection Observer for this. I think we will end up in an arms race and the cost to compute visibility isn't zero so this could have a performance cost. We would need to keep an intersection observer around as long as there are hidden fields so that we can fill them when they become visible. We would also need to have a minimum amount of time for the fields to be visible otherwise attackers would just make them visible for a short time that users won't notice.

Comment 7

[u646497]

(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #6)

We can maybe use Intersection Observer for this. I think we will end up in an arms race and the cost to compute visibility isn't zero so this could have a performance cost.

There might be an option that will not cost that much performance:
Firefox could only show that the fields are filled to the user, but not filling them on the page in reality. Firefox then only fills the fields when the user takes some actions like actively sending the form. As an additional warning for the user, Firefox could actively make autofilled forms visable by rendering them always ontop+inscreen with small Style overwrite.

Comment 8

[bugzilla_mozilla]

We would also need to have a minimum amount of time for the fields to be visible otherwise attackers would just make them visible for a short time that users won't notice.

Does it really help if the user can watch while his password/data is being stolen?

Firefox could only show that the fields are filled to the user, but not filling them on the page in reality. Firefox then only fills the fields when the user takes some actions like actively sending the form.

What if a script triggers sending of the form? fill the data or not? The user would expect the data is filled, as he sees the data filled. But a script could always trigger sending of a form without any user interaction.

I am living very happily with this for a long time:

signon.autofillForms = false

I even set this on the Firefox of a couple of noob users and noone complained about the need to click form fields to fill them.

Comment 9

[regularmike]

"Invisible" is indeed hard to define. However, not filling an input that appears to be hidden seems a lot safer than filling it. If there is a CSS rule to hide an input or one of its ancestor elements I would rather have it err on the side of caution and not fill it like the other clients seem to (Chrome and Edge at least, when I tested this week).

Comment 10

[lord_damokles]

Even with signon.autofillForms = false the master password dialog is triggered, which is quite annoying for sites that include the login form even if you are already logged in. As I use a secure password I don't like to enter it unless I actually want to log in. So is there another option that I need to set, so that the master password dialog is not triggered unless I click in the username/password fields?

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is relatively low, S3. However, the bug has 17 votes and 6 See Also bugs.
:serg, could you consider increasing the bug severity?

For more information, please visit auto_nag documentation.

Comment 12

[BugBot (nomail) [:suhaib / :marco/ :calixte]]

The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.

Comment 14

[Liam Morland]

It is hard to define invisible at the CSS level. What is not hard to do is to prevent it from autofilling the values of input elements with type="hidden". Those should never be filled.