Filled passwords can be revealed by website reveal password toggles
Categories
(Toolkit :: Password Manager, defect, P3)
Tracking
()
People
(Reporter: qqqqqqqqq9, Unassigned)
References
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
Steps to reproduce:
- Have your google-Password stored.
- Navigate to www.gmail.com.
- Unhide the password.
Actual results:
Firefox/Lockwise shows the password.
This is ugly because firefox/Lockwise now offers subdomain matching,
i.e. even if somepage.com does not offer password-showing
subpage.somepage.com might.
Expected results:
Showing the password should be blocked or require the masterkey.
Thanks for the details.
I was able to reproduce on Ubuntu 18.04.3 LTS on Firefox Nightly version 71.0 without setting the master key.
Have you set your master key already? Here are the steps on how to do so: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
Once you choose a master key, it will be requested each time you start a new session (but not each time you visit a website that needs a password)
Best regards, Jero.
Reporter | ||
Comment 2•5 years ago
|
||
Hi,
yes I use a master password.
I cannot view or copy inside settings without entering a masterkey.
I think "show password" on webpages should offer the same protection.
Hi,
this time I was unable to reproduce this issue on my end, I tried on Windows 10, MacOS 10.14.5 and Ubuntu 18.04.3 LTS with Firefox Nightly version 73.0a1 (2020-01-06) (64-bit).
If you still are experiencing this issue, would you send a screenshot or a video of the bug?
I've already chosen a component for this bug in hope that someone with more expertise may look at it. We'll await their answer.
Regards,
Jerónimo.
Comment 4•5 years ago
|
||
This isn't about about:logins, it's about revealing the password using the website UI after autofilling a saved login. Unfortunately there isn't much we can do at this point other than to implement bug 502258, have other browsers do the same (Edge already had this and Chromium is getting it too), and then evangelize that websites should no longer use their own toggle.
Comment 5•3 years ago
|
||
As soon as password is filled to the web page, nothing prevents web page from exposing it in many interesting ways. Closing this bug as WONTFIX for now.
Description
•