Closed Bug 1741116 Opened 3 years ago Closed 5 months ago

Password Leak Glitch

Categories

(Toolkit :: Password Manager, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1540727

People

(Reporter: michala.avril, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

Steps to reproduce:

I have a laptop a friend gifted me secondhand. They did not wipe it, so some websites have login info - like suggesting their username / email for logins. I was logging into Google Drive when I was prompted to log in with their email as the username, so I erased their username and put my own. Then, I entered my password. After successfully logging in I was asked if I wanted to save my username and password combo.

Actual results:

I clicked "show password", a habit I always do, and saw what I later confirmed was THEIR password, though it had my username in the username field. I was running Firefox on an ubuntu machine, (firefox Quantum for ubuntu) a Dell inspiration laptop. I am unsure if this is an error on the part of Firefox or Google but I wanted to provide the information to you. This could be a huge issue for users who share devices, who use public computers, who sell / loan their device out, or who have their device stolen. Please let me know if i can provide more info. I am reporting this on my primary device, so system info will not be accurate. Thank you!

Expected results:

The box should have shown my username and the password I entered for the log-in i just executed, or even a similar bug I have seen where my password is shown with the original user's prompted username. It showed my username, their password.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Version: other → unspecified

The symptoms are troubling, but since this isn't something you could make happen to a remote victim we can deal with it as an unrestricted bug.

Group: firefox-core-security

Remind myself that I should take a look into this issue

Flags: needinfo?(dlee)

I can reproduce this issue, but not exactly the same as what described in the bug description.
Here is my reproduce step:

  1. Have a saved login in accounts.google.com (ex. oldusername/oldpassword)
  2. Navigate to the sign-in page, the email field is autofilled with oldusername
  3. Remove oldusername and type moztest@gmail.com
  4. click next to proceed
  5. The prompt is shown. The username/password in the prompt is moztest@gmail.com/oldpassword
    The password field is now filled with oldpassword
  6. Remove oldpassword and type the right password for the login account
  7. Click next to proceed
  8. Successfully logged-in. The prompt is now with moztest@gmail.com and its associated password

So the issue is reproduced at step 5 (new username with old password), but not after I successfully logged-in (step 8).

Hi michala,
Could you help double check whether the problem I saw is the same as what you saw, or is it different?
Thanks!

Flags: needinfo?(dlee) → needinfo?(michala.avril)
See Also: → 1540727

Apologies to get back to this late. I'm at work right now but I will test this again when I get the chance. And for curiosity's sake, I will also try to reproduce it on my main PC and my flatmate's, which uses a different OS - it may be an issue related to the OS + program combo, or some other thing I am unaware of. I will provide this information ASAP. Wanted to make sure I replied when I got the notification so this did not seem dead in the water. Thank you all for your help so far with categories and reproducing efforts so far. Talk to you soon.

To follow up though : Dimi Lee, I am confused with steps 5 and 8. The prompt, I assume, is the pop-up that asks to save username and password, rather than part of the log-in page itself? If so, that differs from my experience. I do not recall having two pop-ups asking to save my password - I only recall one. To format the same way, this is as I experienced it, unless my memory is failing me :

  1. Google Drive login page. There is a username shown, which is oldusername.
  • between Step 1 and Step 2 I am realizing a potential factor : I do not remember if oldusername is shown in a text box I can erase, or if it showed an un-editable oldusername and I selected an option like "log in with another account". Since my original post does not clarify, I will figure out what this is and report back.
  1. I put in newusername (somewhere, I must discover where), then click the next button
  2. There is no password auto-filling into the password box. I enter newpassword.
  3. I have successfully logged in as newusername using newpassword.
  4. A password manager style popup asks me if I want to save the login for newusername and a hidden password. When I click the eye button to view it, I see newusername in the username slot combined with oldpassword.

Also : Can I attach images to a reply, or will I need to add them to the main post or some other way? I can get screen grabs of the whole process to help describe the issue.

Flags: needinfo?(michala.avril)

Come to think of it, I can also try it on a few mobile devices from friends, and possibly a couple extra platforms. Some of my friends are tech nerds with weird combinations of hardware and OS (and old machines if we want to see if it is isolated to older OS) and since they're fascinated by the bug I could probably get them to repeat the steps, once I have the exact steps on-hand. I see a duplicate or similar bug is linked here - are there any additional OS that would be of particular interest? I could probably get : a few unknown varieties of android, a few versions of iOS, a couple MacOS, Win7, Win10, ubuntu, linux, galliumOS (?), maybe a couple others if I ask nicely, haha.

The severity field is not set for this bug.
:sgalich, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)

Hi michala, thank you for the information.

(In reply to michala.avril from comment #5)

Also : Can I attach images to a reply, or will I need to add them to the main post or some other way? I can get screen grabs of the whole process to help describe the issue.

You can attach image by "Attach New File" in attachments section.

are there any additional OS that would be of particular interest?

I think this problem may not be related to the platforms, so you can check whether you can reproduce this with the laptop you have.

Severity: -- → S3
Flags: needinfo?(sgalich)
Priority: -- → P3
Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Duplicate of bug: 1540727
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.