Closed Bug 1626153 Opened 4 years ago Closed 4 years ago

Saved login autofilled in a password change without user interaction in a cross-origin frame

Categories

(Toolkit :: Password Manager, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 786276

People

(Reporter: a1406339013, Unassigned, NeedInfo)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

When changing the password after login, some websites will fill in the user's password by default, which will cause click hijacking to change the user's password, is it your browser vulnerability?

You can watch the demo video?

https://drive.google.com/open?id=1Hnsc5jaQvq8Nov13qSM9PeWXJW-f7WO6

Test the site on firefox: https://121.201.22.62/
User name: youkong@coresrc.cn
Password: a123456789.
Change the password address: https://121.201.22.62/coremail/XT5/pref/password.jsp?uid=youkong%40coresrc.cn&locale=zh_CN&method=post&backurl=

Test the site on Google Browser: https://121.201.22.62/
User name: youkong@coresrc.cn
Password: a123456789.
Change the password address: https://121.201.22.62/coremail/XT5/pref/password.jsp?uid=youkong%40coresrc.cn&locale=zh_CN&method=post&backurl=

Nesting pages with <iframe> causes clickjacking to change the user's password:

<!DOCTYPE HTML>
<html>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<head>
<title>poc</title>

</head>
     <body>


          <iframe src="https://121.201.22.62/coremail/XT5/pref/password.jsp?uid=youkong%40coresrc.cn&locale=zh_CN&method=post&backurl="></iframe>
     </body>
</html>
Flags: sec-bounty?

Matt, could you triage this? It sounds like a possible password manager issue to me, but maybe I'm wrong. Thanks.

Flags: needinfo?(MattN+bmo)

I believe this is a duplicate of bug 786276, do you agree? i.e. the problem is that we autofill without user interaction in cross-origin frames. You would still have so trick the user to enter a new password and submit the form.

Type: task → defect
Component: Security → Password Manager
Flags: needinfo?(MattN+bmo) → needinfo?(a1406339013)
Product: Firefox → Toolkit
Summary: A security breach in firefox → Saved login autofilled in a password change without user interaction in a cross-origin frame

This seems to work in the same way. It should be a loophole, and it's been so long. Why can I reproduce it?

Flags: needinfo?(a1406339013)

That is an open bug, not fixed, and it's only rated sec-low because of the user interaction required (that I mentioned here in comment 2). It's more of a privacy (tracking) issue than a security issue. We should fix it but it's not a high priority currently.

Can I make this bug public or are those real credentials in comment 0?

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

yes

Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-

This should be fixed by Bug 786276 now. 梁国强, can you please check it out on the latest Firefox Beta 83.0b4? Here is from where you can download it: https://www.mozilla.org/en-US/firefox/83.0beta/releasenotes/

Flags: needinfo?(a1406339013)
You need to log in before you can comment on or make changes to this bug.