Saved Passwords in Application Configuration pages are converted to Clear Text
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
People
(Reporter: jpanand, Unassigned)
Details
Attachments
(1 file)
|
17.88 KB,
image/jpeg
|
Details |
SavetheLogin.jpg
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.72
Steps to reproduce:
I am a support consultant who works on HCM Suite. On the application configuration page, we have SFTP passwords saved in export Jobs. With the latest release, fire fox is reading the saved password and asking me if I would like to save the login with password. It has a check box to show the password. I was surprised to see the application service account's password in clear text.
Its a serious threat to the applications where the credentials can be decoded by anyone who has access to a page.
Actual results:
Anybody can view a saved password configured in application settings pages.
Expected results:
It should show only if I entered the password in user name / password section in a page. Not by showing a password saved already in a configuration page.
|
||
Comment 1•6 years ago
|
||
The image you attached is how our password manager has always worked, I thought. If you don't want to save the password you can say "never ask" and somewhere in preferences/options you can globally turn it off. What did you notice as changed here?
Maybe the show password checkbox is new? Of course Firefox has the password in the clear at that point because you just entered it into the page. If you say to save it its not saved in clear text (though easily recoverable by someone with access to your disk unless you use the Master Password feature).
|
|
||
Comment 2•6 years ago
|
||
This bug can be re-opened if there's additional information.
Hi, The image attached is taken from a configuration page where my company's SFTP credentials are saved. When I come back from the page to home screen, why should the browser decode the password and show to a user who are not supposed to know it?
|
||
Comment 4•6 years ago
|
||
(In reply to jpanand from comment #3)
Hi, The image attached is taken from a configuration page where my company's SFTP credentials are saved. When I come back from the page to home screen, why should the browser decode the password and show to a user who are not supposed to know it?
I expect the configuration page uses form submission and/or some other method to pass the password around, or that when you say "saved" you actually mean you saved the page somehow (or the page saved itself or whatever).
Needless to say, if the password is saved already in Firefox then it can be found by users of that instance of Firefox.
If it is not saved but it is included somehow in those configuration pages, then any user who has access to it can obtain the password, regardless of whether Firefox shows any of it in the UI. There is nothing magic that Firefox does that exposes the password that is otherwise "safely hidden" - if you're worried about it being accessible to people who shouldn't have access to it this way, you should talk to the people who wrote the web app you're using.
So there doesn't seem to be any reason to keep this hidden from the public. The people who work on our password manager can likely help further diagnose what's going on here.
|
||
Comment 5•6 years ago
|
||
I'm guessing bug 1287202 in Fx68 probably caused us to show the doorhanger where we didn't before but that was a defect and it's now working how it's supposed to other than bug 1388674 which wouldn't prompt to save credentials in forms/fields the user didn't interact with. I will dupe to that bug.
Description
•