Closed Bug 1386989 Opened 8 years ago Closed 8 years ago

LOOPHOLE IN FIREFOX WHICH COULD SACRIFICE A PERSONS LOGIN PASSWORD

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: w_mansur.4563, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20170802100302 Steps to reproduce: I LOGGED INTO A SECURED SITE LIKE YAHOO.COM AND LOGGED INTO MY EMAIL ACCOUNT WITH "Stay signed in" TICKED ON Actual results: AFTER I LOGGED OUT AND AGAIN LOGGED IN TO MY ACCOUNT THE PASSWORD IS VISIBLE AFTER CLICKING ON THE GREEN LOCK ICON AND THEN CLICKING ON MORE INFORMATION AND THEN GOING TO SECURITY TAB AND CLICKING ON SAVED PASSWORD.NOW THIS A SECURITY FLAW BECAUSE I RUN A BPO CALL CENTER AND NEED MY AGENTS TO LOGIN TO A SITE WITH REMEMBER CREDENTIALS TICKED ON.IF THE AGENT KNOWS IT BASICS HE CAN EASILY SEE THE SAVED PASSWORD AND LEAK IN TO OTHERS.THIS IS A SERIOUS SECURITY FLAW. Expected results: EVEN IF THE REMEMBER CREDENTIALS OR Stay signed in IS TICKED ON THE PASSWORD SHOULD NOT BE VISIBLE TO ANYONE EVEN TO THE PERSON WHO HAS TICKED ON REMEMBER CREDENTIALS.IN THIS WAY MANY PASSWORDS CAN BE SAVED FROM BEING HACKED ESPECIALLY FOR NON TECHNICAL PERSONS WHO DON'T KNOW THESE THINGS
You seem to fundamentally misunderstand how password managers work. If Firefox puts the password in the webpage's input box, the user on the computer can read it. It's that simple. They might need to use the web developer tools which ship with Firefox, or an add-on, or whatever, but they can read it. Equally, if Firefox can open the relevant file with passwords in it, so can the user, and then the user can still read them (they're obfuscated, but only encrypted with a master password if you set one, and obviously the users would have that password or they wouldn't have been able to have the password auto-filled). Listing the passwords is convenient for users. Removing the listing wouldn't fix the issue - only obfuscate things, without actually fixing the security problem. We will not remove this feature (or password management generally) just because your BPO call centre has poor password management practices. Don't make users with different privileges share computers and/or OS user accounts, and this problem goes away.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Resolution: --- → INVALID
The "stay signed in" checkbox in the Yahoo page controls how they set their cookie: whether it's discarded when you close the browser (so the next user has to log in again) or saved so you don't have to log in at all on the same computer. If you explicitly log out of Yahoo (or other similar sites) the cookie is deleted. This has nothing to do with saving your password. In Firefox if you log in to a site you will get a panel that opens near the URL bar that asks if you want to save that password. If you choose to save it then it's saved until you go into Settings and manually delete it. You or someone must have done that at some earlier point (it won't ask again if the same password is already saved). If you're on a shared computer then saving your passwords is a bad idea; you can turn off the password manager from the same Settings page where you saw the button to show your saved logins.
You need to log in before you can comment on or make changes to this bug.