Closed Bug 1573525 Opened 6 years ago Closed 6 years ago

View another person password by save password from Firefox

Categories

(Toolkit :: Password Manager, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1388674

People

(Reporter: will.unicamp, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

I was able to see another person password through Firefox save password feature. The password was inserted inside a Wordpress plugin, in another machine, and it was saved there. From my machine, I've opened the same page and saved the same form, and Firefox offered me the option to save and view the password.

Flags: sec-bounty?

(In reply to will.unicamp from comment #0)

I've opened the same page and saved the same form, and Firefox offered me the option to save and view the password.

This will be because the password is included in the form that you saved. You already had access to that password, it's not Firefox that allows this, it's the plugin page that echoes it into the page.

Removing the security flag as this isn't a Firefox security issue. It's possible we can avoid the password manager prompting here, so keeping the bug for that - though it might be impossible if the wordpress plugin is badly written.

Which wordpress plugin was this?

Group: firefox-core-security
Type: task → defect
Component: Security → Password Manager
Flags: needinfo?(will.unicamp)
Product: Firefox → Toolkit

I've experienced this issue before in another form. My internet provider had configured my router with user and password for PPoE access, through remote access. I shouldn't know the password, but accessing the form and clicking on update button (without changing anything) I was able to see the password by clicking on "show password", offered by the browser to me.

The WordPress plugin is WP Mail SMTP.

Flags: needinfo?(will.unicamp)

Gijs is right, if you looked in the developer tools or View Source you would have already been able to see the password without the prompt to save. Bug 1388674 would be a potential solution for this though there may be times when the user does want to save that password…

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.