Insecure creation of generated passwords
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
People
(Reporter: bugreport, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Steps to reproduce:
- Navigate a website with a signup (registration) form
- Click on the password field and take a look at the password that gets shown ("use a securely generated password")
- (If you want, create an account to demonstrate the possible impact)
- Open a new tab and close the first one
- Navigate to the same page as in the first step, click on the password field and again take a look at the "securely" generated password
Actual results:
Both times, the generated password is the same.
If someone were to create an account on a public computer and then logged out (but didn't close Firefox), an attacker could open the same website and find out what password the victim has used.
Expected results:
The password should be regenerated every time the password field is selected (onfocus)
|
Reporter | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•8 months ago
|
|
|
||
Comment 3•6 months ago
|
||
Note: the improvement in bug 1820360 was shipped in Firefox 112. A new secure password will be generated once the current one is saved in the password manager. The primary reason for the reuse was to prevent people from getting locked out of their accounts if they had used the generated password field in a fake-form that didn't trigger our "prompt to save password" function.
Description
•