Closed Bug 1604297 Opened 3 years ago Closed 10 months ago

Filled passwords can be revealed by website reveal password toggles

Categories

(Toolkit :: Password Manager, defect, P3)

71 Branch
defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: qqqqqqqqq9, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

  1. Have your google-Password stored.
  2. Navigate to www.gmail.com.
  3. Unhide the password.

Actual results:

Firefox/Lockwise shows the password.
This is ugly because firefox/Lockwise now offers subdomain matching,
i.e. even if somepage.com does not offer password-showing
subpage.somepage.com might.

Expected results:

Showing the password should be blocked or require the masterkey.

Thanks for the details.
I was able to reproduce on Ubuntu 18.04.3 LTS on Firefox Nightly version 71.0 without setting the master key.
Have you set your master key already? Here are the steps on how to do so: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
Once you choose a master key, it will be requested each time you start a new session (but not each time you visit a website that needs a password)

Best regards, Jero.

Flags: needinfo?(qqqqqqqqq9)

Hi,

yes I use a master password.
I cannot view or copy inside settings without entering a masterkey.
I think "show password" on webpages should offer the same protection.

Flags: needinfo?(qqqqqqqqq9)

Hi,
this time I was unable to reproduce this issue on my end, I tried on Windows 10, MacOS 10.14.5 and Ubuntu 18.04.3 LTS with Firefox Nightly version 73.0a1 (2020-01-06) (64-bit).

If you still are experiencing this issue, would you send a screenshot or a video of the bug?

I've already chosen a component for this bug in hope that someone with more expertise may look at it. We'll await their answer.

Regards,
Jerónimo.

Component: Untriaged → about:logins

This isn't about about:logins, it's about revealing the password using the website UI after autofilling a saved login. Unfortunately there isn't much we can do at this point other than to implement bug 502258, have other browsers do the same (Edge already had this and Chromium is getting it too), and then evangelize that websites should no longer use their own toggle.

Component: about:logins → Password Manager
Depends on: 502258
Keywords: dupeme
Priority: -- → P3
Product: Firefox → Toolkit
Summary: Lockwise should block show password in websites → Filled passwords can be revealed by website reveal password toggles

As soon as password is filled to the web page, nothing prevents web page from exposing it in many interesting ways. Closing this bug as WONTFIX for now.

Status: UNCONFIRMED → RESOLVED
Closed: 10 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.