Lockwise password manager is using authentication domain for site instead of actual site
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
People
(Reporter: td47, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Steps to reproduce:
Go to https://support.divx.com and click sign-in, then in the login frame, click on the "sign up" link.
Firefox will incorrectly choose the Authentication Domain (divx.zendesk.com) as the acccount/site key instead of support.divx.com, when completed.
Actual results:
Firefox will incorrectly choose the Authentication Domain (divx.zendesk.com) as the acccount/site key instead of support.divx.com, when completed.
The sign-up frame/form uses an Authentication Domain in the first part of the frame serving URL, but the Lockwise process should be using the origin ("return_to") URL to use as the account logon key.
Expected results:
The login entry should have been created using the domain from the "return_to" part, that is: support.divx.com.
Reporter | ||
Comment 1•5 years ago
|
||
Not sure if this is fixable with a recipe, or if DIVX site is just not following standards.
I can work around this by editing the Lockwise login entry (you have a really good/useful password manager) but non-techies might have an issue trying to log in unless this is manually edited
Comment 2•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 3•5 years ago
|
||
Hello, what problem does this cause for you? What you describe is what I would expect. Using the origin from an arbitrary query parameter would be a big security issue.
Reporter | ||
Comment 4•5 years ago
|
||
As I was trying to set up a new login and register an account with https://support.divx.com I would have expected the account entry to be that site, and NOT its back-end authentication site https://divx.zendesk.com
Your Password Manager sets up the entry with a site name that does not allow a direct login. In any event, in 6 months time, I will not remember that the ZENDESK back-end is actually for the DIVX main site. I know how to manipulate the Password Manager UI to change stuff, but many non-tech users might not be comfortable with that. This detracts from its useful purpose.
This result appears to be like another bug I saw in the list for "Product/Component: Toolkit :: Password Manager: Site Compatibility" bugs. I will check my emails to find the one of interest, as I think you might be in the middle of fixing that one. I will update this again later if I find it.
Reporter | ||
Comment 5•5 years ago
|
||
Hello again, I think I found the one that sounds very similar to my issue, it is 1639738:
https://bugzilla.mozilla.org/show_bug.cgi?id=1639738
I don't know the "internals" of the Password Manager, so not sure, but from a User and UI perspective, this sounds similar.
Reporter | ||
Comment 6•5 years ago
|
||
By the way, I did not initially understand your comment "Using the origin from an arbitrary query parameter would be a big security issue", so I have read again what I reported, and I think that I did not make it clear, that I used the "View Source" option to see what was going on in that sign-up page. That is where I got the frame action string from, where it calls the back-end authentication site https://divx.zendesk.com, so it was NOT an arbitrary query string that I put together myself, it is part of ther site source!
Comment 7•5 years ago
|
||
Hey Tony,
We can't use the return_to
query parameter in this case because it would open up a fairly bad security flaw. That parameter does come from their source, but they could just as easily put &return_to=www.google.com
, or &return_to=www.evil.com
, which would let them trick users into adding logins for websites that they (Divx) don't control. I tested in Chrome and LastPass, and they both handle this the same way we do, presumably for that reason.
Unfortunately this is a flaw in how the website was written that we don't have any way to work around. The only fix for this would be to reach out to the maintainers of the website and ask them to fix it. The fix would be helpful for them too, because it would improve how all password managers work on their site, not just us.
Sorry we couldn't help more here, but thank you for filing!
Reporter | ||
Comment 8•5 years ago
|
||
Hello Severin, thanks for the vey useful comments and recommmendation. I have raised a support ticket with DIVX tonight, so hopefully they will look into it and fix it, based on your testing and input.
Description
•