Closed Bug 159484 Opened 22 years ago Closed 22 years ago

javascript urls can steal password data

Categories

(SeaMonkey :: Passwords & Permissions, defect)

Product:
SeaMonkey
Component:
Passwords & Permissions
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: dveditz, Assigned: morse)

References

Details

(Whiteboard: [adt1 rtm] [ETA 07/30])

Attachments

(5 files, 1 obsolete file)

testcase
870 bytes, text/html
Details
scarier testcase -- will reveal your bugzilla password to passers by
787 bytes, text/html
Details
Fix for 0.9.4 branch
1.21 KB, patch
Details | Diff | Splinter Review
check in two places
2.28 KB, patch
morse
: review+
morse
: superreview+
morse
: approval+
Details | Diff | Splinter Review
Patch #2 for 0.9.4 branch - apply this AFTER applying the first one
1.25 KB, patch
Details | Diff | Splinter Review 
Password manager makes the same kind of host comparing mistake as in bug 152725,
thus javascript urls can steal password data.
QA Contact: tpreston → bsharma
Attached file testcase 
This isn't a full exploit, but if you have password manager stores your
bugzilla password then clicking on the link will load that data into a form.
This is definitely a stop-ship.

Talon doesn't support Password Manager, does it?
Keywords: nsbeta1+
Whiteboard: [adt1 rtm]
Blocks: 143047
Whiteboard: [adt1 rtm] → [adt1 rtm] [ETA Needed]
Target Milestone: --- → mozilla1.0.1
Whiteboard: [adt1 rtm] [ETA Needed] → [adt1 rtm] [ETA 7-29]

    
    

    
  
Should we worry about SINGSIGN_RememberSignonData? Is there a way someone could
*save* a password for another host? If so how bad would that be?

    
    

    
  
I had thought about that but couldn't see any problem.  What would an attacker
gain by having you log on as him -- he could simply do that himself.  Also,
before a password is saved, the user must respond affirmatively to a pop-up
alert, so this can't happen without his knowledge.
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

Hmm, this patch looks oddly familiar. r=mstoltz.

        Attachment #93053 -
        Flags: review+

    
    

    
  
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

a=chofmann for branch and trunk

        Attachment #93053 -
        Flags: approval+

    
  
Keywords: mozilla1.0.1

    
    

    
  
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

I can't think of a specific exploit against RememberSignonData, but it's clear
that the end result is known bad data getting into the password file if the
user clicks the wrong button (or another exploit suppresses the dialog?). I
don't know what an attacker could do with it if he succeeded, either, but bogus
data in such a sensitive spot sets off all my paranoia bells.

sr=dveditz if you file a bug on the RememberSignonData spot, or a bug to
convert wallet uses of nsIIOService to nsIURI. This patch is a stopgap anyway,
you're verifying that the nsIURI returns a host, but the host you actually do
use is gotten from a different method and may not in fact match.

        Attachment #93053 -
        Flags: superreview+

    
    

    
  
OK, I agree.  Better safe than sorry.  So I'll add the RememberSignonData patch
here as well.

    
    

    
  


  

        Attachment #93053 -
        Attachment is obsolete: true

    
  

        Attachment #93158 -
        Flags: superreview+

        Attachment #93158 -
        Flags: review+

        Attachment #93158 -
        Flags: approval+

    
    

    
  
Comment on attachment 93158 [details] [diff] [review]
check in two places

bringing reviews forward:
r=mstoltz
sr=dveditz
a=chofmann

    
  
Keywords: adt1.0.1
Whiteboard: [adt1 rtm] [ETA 7-29] → [adt1 rtm] [ETA 07/30]

    
    

    
  
Landed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
bsharma: can you pls verify this one on the trunk tomorrow? thanks!

    
    

    
  
Verified on 2002-07-30-trunk on Win 2000.

Steps:
1. Saved the bugzilla password in the Password Manager.
2. Ran the attached test case.
3. An exception is thrown in the JS console.
4. Ran the form test case.
5. An exception is thrown in the JS console.
Status: RESOLVED → VERIFIED

    
    

    
  
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch, pending
drivers ' approval. pls check this in asap, then replace the "mozilla1.0.1+"
with "fixed1.0.1". thanks!
Keywords: adt1.0.1adt1.0.1+

    
    

    
  
Patch checked in on branch.
Keywords: mozilla1.0.1fixed1.0.1

    
    

    
  
a=chofmann for 1.0.1
Group: security?
Group: security?
Group: security
Product: Browser → Seamonkey

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: