about:logins search/filters accounts by password when searching
Categories
(Firefox :: Untriaged, defect)
Tracking
()
People
(Reporter: rbertra, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Steps to reproduce:
- Go to: about:logins
- Go to "search logins" box
- start typing some if your own password
Actual results:
login list is filtered automatically by the password value being searched
Expected results:
login list is filtered should not be filtered by the password value being searched. Filter should be only done by email or website value... Currently, it leaks security information, as one I can figure out which password contain certain digits/characters. Also, from the GUI, we can see the password length, which is another leak of information.
Security thread: someone gets access to my browser (e.g. I left my laptop untended/unlock in my office/desktop). Then opens a tab about:logins, master password is not asked (either not set or recently used) and searches by specific password sequences knowing the password length... if no strong passwords are used (i.e. short or using "easy" words, one can figure out parts of the password (if not all) and then reduce the space for a brute search.
|
||
Comment 1•2 years ago
|
||
:Ramon Bertran Monfort, thank you for filing this bug!
The search by password is a feature. It can be used to find reused passwords or search old password that needs to be updated. Also by the time attacker is in about:logins there is nothing that can be realistically done to stop them. More details can be found in Bug 1765473.
Regarding password length leak - totally agree, this should be fixed and we track it in Bug 1748065.
|
|
||
Updated•2 years ago
|
Description
•