Closed Bug 1765473 Opened 2 years ago Closed 2 years ago

Passwords on "about:logins" page can be searched by "Search Logins" field

Categories

(Firefox :: about:logins, defect)

Product:
Firefox
Component:
about:logins
Version:
Firefox 99
Platform:
Desktop
Unspecified
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1634906

People

(Reporter: scenariobug9, Unassigned)

References

Details

Attachments

(1 file)

Passwords on "about_logins" page can be searched by "Search Logins" field.mov
1.38 MB, video/quicktime
Details

[Affected versions]:

  • Firefox Nightly 101.0a1 (2022-04-19) (64-bit)
  • Firefox Release 99.0.1 (64-bit)

[Affected Platforms]:

  • Windows 10 Pro 10.0.19044
  • Ubuntu 20.04.3 LTS
  • macOS High Sierra 10.13.6

[Steps to reproduce]:

  1. Navigate to the "about:logins" page.
  2. Start typing.
  3. Observe the search results.

[Expected result]:

  • The login list displays logins that contain typing content in "Website address", and "Username" fields.

[Actual result]:

  • The login list displays logins that contain typing content in "Website address", "Username" and "Password" fields.

[Notes]:

  • If passwords can be searched in the "Search Logins" field, it provides a way to guess passwords. Firstly, we can know the length of the password by counting the black dot in the "Password" field. Then, by searching in the "Search Logins" field, we can try to find out the password by Brute-force search since the number of searches is unlimited.

Therefore, I submit this issue as a potential security problem, if it is not, I'm so sorry for bothering you.

:scenariobug9 thanks for reporting these findings, it's best to share your concerns.

Searching by password is not a security bug, it's more of a useful feature. For example, you can search by your password to quickly find duplicates (reusing passwords is bad, but humans keep trying). If the attacker got access to you unlocked system, then they can do so many things, like installing keylogger or stealing access tokens. Guessing passwords would be least effective way of spending time.

The password length leak is definitely a flaw that we are fixing in the Bug 1748065.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX

I've added a list of similar bugs related to "search by password".

See Also: → 1728898, 1704066, 1636759, 1619464, 1567423

(In reply to Sergey Galich from comment #1)

:scenariobug9 thanks for reporting these findings, it's best to share your concerns.

Searching by password is not a security bug, it's more of a useful feature. For example, you can search by your password to quickly find duplicates (reusing passwords is bad, but humans keep trying). If the attacker got access to you unlocked system, then they can do so many things, like installing keylogger or stealing access tokens. Guessing passwords would be least effective way of spending time.

The password length leak is definitely a flaw that we are fixing in the Bug 1748065.

Thanks for your reply!

From your reply, I can completely know your design. Thanks for your nice job.

Resolution: WONTFIX → DUPLICATE
Duplicate of this bug: 1848724
No longer duplicate of this bug: 1848724
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: