Autofill for different subdomain creates risk of credential leakage across subdomains
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
People
(Reporter: neilharris2019, Unassigned, NeedInfo)
References
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0
Steps to reproduce:
Visited a web page that popped up an auth0 login page for a domain that I do not have an account on:
https://[redacted].us.auth0.com/u/login
Actual results:
Firefox popped up an autocomplete for a password that is only defined for
[otherdomain].us.auth0.com
Expected results:
Firefox should not have offered to autocomplete the password, since the domain registered for the password does not match the domain of the web page.
|
Reporter | |
Comment 1•2 years ago
|
||
This looks to me like an opportunity for cross-domain password/identity leakage not just for auth0, but for other multi-tenant services. Is the domain only being matched as far as auth0.com or us.auth0.com, instead of the whole domain path?
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
AIUI the same organization/company/entity controls *.auth0.com - they aren't in the public suffix list, so there is no indication to the browser (or me!) that the password would "leak" anywhere than the appropriate folks. Therefore I don't think this is a security bug.
We offer the credentials x-subdomain to avoid situations where companies move their login page or have multiple login pages that all take the same credentials (certainly the case on many intranets and so on). So this behaviour is at least to some degree intentional.
bug 1601558 already exists for the fact that the experience can be overwhelming if you have different sets of credentials for many subdomains.
Not sure if it's valuable to keep this open separate from 1601558 - Serg, what do you think?
Description
•