Closed Bug 1350983 Opened 7 years ago Closed 5 years ago

Prevent password manager auto-fills on change password profiles forms

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1119514

People

(Reporter: guerin45, Unassigned)

Details

(Whiteboard: [sec-insecure-third-party-site-reviewed]) 

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170316213829

Steps to reproduce:

Got a site providing a way to change your account password like JIRA, bugzilla, forums...

Since the autocomplete=off attribute is ignored, It's never been easier to steal user accounts because Firefox auto-fill the registered old password.

Even worse, since firefox 52, when the input password is not auto-filled get the focus, an autocompletion is shown and you can select a registered password!


Actual results:

The old password is either auto-filled or selectable by autocompletion.

It is a major security issue.


Expected results:

NEVER auto-fill password on forms with more than one input password because it is most certainly a change password form and the person who uses the form can no longer be authenticated with certainty.
Severity: normal → major
Component: Untriaged → Security
Severity: major → normal
Component: Security → Password Manager
Product: Firefox → Toolkit
Whiteboard: [sec-insecure-third-party-site-reviewed]
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Summary: [UX] Prevent password manager auto-fills on change password profiles forms → Prevent password manager auto-fills on change password profiles forms
You need to log in before you can comment on or make changes to this bug.