Closed Bug 1722556 Opened 3 years ago Closed 3 years ago

Autofill should require user action

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1427543

Tracking Flags:

Tracking

Status

firefox92

---

affected

People

(Reporter: sjw+bugzilla, Unassigned)

References

(
URL
)

Details

(Keywords: sec-want, Whiteboard: [passwords:fill-ui] [passwords:heuristics] [parity-chrome] [parity-edge] [parity-safari] [parity-Vivaldi] )

sjw

Reporter

Description

•

3 years ago

If autofill is enabled (which is the default in Firefox) malicious JavaScript can steal the credentials from the login form.

Other browsers require any kind of user interaction with the site (e.g. keystroke, mouse click) to fill in the actual data. This can protect users from silently loosing their credentials in an iframe, pop-up, hidden form etc.

A detailed analysis of this behavior can be found in the linked article.

Daniel Veditz [:dveditz]

Updated

•

3 years ago

Status: NEW → RESOLVED

Closed: 3 years ago

Resolution: --- → DUPLICATE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Autofill should require user action

Categories

(Toolkit :: Password Manager, enhancement)

Tracking

()

People

(Reporter: sjw+bugzilla, Unassigned)

References

(
URL
)

Details

(Keywords: sec-want, Whiteboard: [passwords:fill-ui] [passwords:heuristics] [parity-chrome] [parity-edge] [parity-safari] [parity-Vivaldi] )

Crash Data

Security

(public)

User Story

Description

Updated