Closed Bug 1780571 (CVE-2022-42931) Opened 2 years ago Closed 2 years ago

Username leaked to form history

Categories

(Toolkit :: Form Manager, defect, P2)

Product:
Toolkit
Component:
Form Manager
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox105 --- wontfix
firefox106 --- fixed

People

(Reporter: serg, Assigned: issammani)

References

Details

(Keywords: sec-low, Whiteboard: [adv-main106+])

Attachments

(3 files)

Bug 1780571 - Reproduce bug and add test to catch it. r=sgalich!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1780571 - Check if input is managed by LoginManager before saving it to FormHistory database. r=sgalich!
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
280 bytes, text/plain
Details

STR

  1. verify formhistory.sqlite is empty
  2. go imdb login page (or any other login page)
  3. attempt to login and save login in password manager
  4. formhistory.sqlite will have username stored in plain text
Severity: -- → S2
Priority: -- → P2

I can confirm. This is the formhistory.sqlite entry just now.

677 Bugzilla_login xxxxx@xxxxxxxxx 1 1658438391070000 1658438391070000 YCjMUXDaRsOqG9JK

Is this not intentional? The username is part of the form, and is not hidden text? I don't know what the expectations are for this. Are form fields supposed to be stored in one and only one place, so if it's part of a password it's no longer part of the form?

You're the triage owner so I guess you get to say :-) If this is a security bug what severity would you give it? sec-low? sec-moderate? just a privacy problem?

Flags: needinfo?(sgalich)

(In reply to Daniel Veditz [:dveditz] from comment #3)

Is this not intentional? The username is part of the form, and is not hidden text? I don't know what the expectations are for this. Are form fields supposed to be stored in one and only one place, so if it's part of a password it's no longer part of the form?

You're the triage owner so I guess you get to say :-) If this is a security bug what severity would you give it? sec-low? sec-moderate? just a privacy problem?

Forms managed by Password Manager encrypt username and password.
Form History should not be involved if form is managed by Password Manager.

At the moment I think this is sec-low. Something that I expect to be encrypted can be found in plain form in another file nearby.

But it may turn to sec-moderate if I can use that username knowledge to figure the encryption key to decrypt password. This is something I still need to review.

Flags: needinfo?(sgalich)
Assignee: nobody → imani

I've spoke with crypto folks, they feel current encryption should hold.

Keywords: sec-low

This bug is similar to 394612

Attachment #9289452 - Attachment description: Bug 1780571 - Check if input is managed by LM before saving to FH. r=sgalich! → Bug 1780571 - Check if input is managed by LoginManager before saving it to FormHistory database. r=sgalich!

Reproduce bug and add test to catch it. r=sgalich
https://hg.mozilla.org/integration/autoland/rev/d7d188482489b74205598e37ae1eb7f1a7152430
https://hg.mozilla.org/mozilla-central/rev/d7d188482489

Check if input is managed by LoginManager before saving it to FormHistory database. r=sgalich
https://hg.mozilla.org/integration/autoland/rev/65bd3d4ffbc9e9cc000b6cd3151f7f1325a1d396
https://hg.mozilla.org/mozilla-central/rev/65bd3d4ffbc9

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox106: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
status-firefox105: --- → wontfix
status-firefox-esr102: --- → wontfix
Flags: in-testsuite+

Removing security flag due to similar bug 394612 being public already.

Group: core-security-release
Whiteboard: [adv-main106+]
Alias: CVE-2022-42931
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: