Closed Bug 1594072 Opened 5 years ago Closed 5 years ago

Autofill will populate hidden fields with data without telling the user

Categories

(Toolkit :: Form Autofill, defect)

Product:
Toolkit
Component:
Form Autofill
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1392944

People

(Reporter: russ, Unassigned)

Details

Attachments

(1 file)

Screenshot 2019-11-05 11.41.59.png
58.69 KB, image/png
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

Steps to reproduce:

I created a test harness with hidden fields last_name, city, street, phone in a form

Code pen can be found here: http://bit.ly/2NJr99q

Actual results:

When autocomplete filled out the email field, the hidden fields were still populated with data allowing me to submit PIA unknowingly via form.

Expected results:

The hidden form fields should not be filled out

Matt, do you know about this code while Jared is out?

Component: Untriaged → Form Autofill
Flags: needinfo?(MattN+bmo)
Product: Firefox → Toolkit

(In reply to :Gijs (he/him) from comment #1)

Matt, do you know about this code while Jared is out?

I lead the Form Autofill project :)

The bug summary isn't true. We took this attack into account from the beginning of the project so that's why we do tell the user what data types will be filled. See the yellow row in the suggestion dropdown, it's yellow because it's a warning.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(MattN+bmo)
Resolution: --- → DUPLICATE
Group: firefox-core-security

Do you really think this is acceptable??

Image of drop down

There is no way the plurality of users would ever see that and the yellow box allows for no meaningful interaction. You can't change behavior aside from turning off auto-complete altogether and you can't edit the hidden fields if accidentally selected. Plus I have to assume this breaks honey pots setup to trap bots.

One problem is that it's extremely difficult to determine whether a field is "visible-enough" for it to be filled when working against a malicious website. There are dozens of ways a user could obscure visibility of fields and they can also be dynamically changing/animating these CSS properties. I did mark you bug as a duplicate of one that can try to determine when fields are visible for non-malicious sites so I'm not saying there isn't more for us to do.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: