Password of user is hack-able if user logins to browser

RESOLVED INVALID

Status

()

RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: renju_kunjumon, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8877567 [details]
Mozilla.png

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce:

1. Open Firefox browser and turn ON the F12 Developer tool of browser.

2. Go to Network tab in F12 Developer tool and enable the 'Preserve log' checkbox.

3. Minimize the F12 Developer tool.

4. Ask your friend/anyone to login to Facebook via the Firefox browser where the F12 developer tool is minimized.

5. Let your friend to do a login and once login, tell him to logout his session.

6. Now open the F12 developer tool which you minimized earlier.

7. Come to Network tab, and take a look on the below php call for login.

https://www.facebook.com/login.php?login_attempt=1&lwv=120&lwc=1348060

8. Now go to the Header sub tab of the same login php call.



Actual results:

Take a look on the Form Data under Params on right hand side of F12 window .

There you can see your Friends password as pass: <Password of your friend will be displayed here>

This scenario is a serious and very high priority security vulnerability issue which I feel and Facebook can file a case against this.




Expected results:

My suggestion for resolving this issue as follows.

1. Mask/encrypt the password field value

2. Don't show the password field in Params

This scenario is a serious and very high priority security vulnerability issue which I feel and Facebook can file a case against this.

Comment 1

2 years ago
The exact same issue exists in Chrome, IE, Edge, Safari, and presumably any browser that ships devtools. There's nothing we can realistically do to protect users from this.

(In reply to RENJU P KUNJUMON from comment #0)
> My suggestion for resolving this issue as follows.
> 
> 1. Mask/encrypt the password field value
> 
> 2. Don't show the password field in Params

If we did either of this, an attacker could just create a (cross-browser) add-on that inspected requests and logged the data elsewhere itself. The password parameter isn't special in any way, and in many cases it won't be possible for the browser to know it contains your password at all.

If Facebook were concerned about this, they could do client-side encryption in JS to avoid the plaintext password being part of the request - though again, that protection would still fail if you had a browser extension that ran on facebook and just logged all your "friend"'s keypresses.


This is why you shouldn't log in on machines (or using browsers) you don't trust.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.