Closed Bug 1824629 Opened 2 years ago Closed 2 years ago

prsformusic.com triggers multiple firefox (Win10 111.0.1) primary password entry boxes to access passwords, despite no password for this domain being stored in password Manager.

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 111
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1748911

People

(Reporter: mb.iphone.uk, Assigned: serg)

References

Details

Attachments

(3 files)

Sequence of screen shots taken from when I click on the google link to PRS..
145.38 KB, image/jpeg
Details
2-bugzilla.jpg
51.92 KB, image/jpeg
Details
3-bugzilla.jpg
93.64 KB, image/jpeg
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0

Steps to reproduce:

  1. Master password should be enabled in firefox, but must not have been entered within this browser session (i.e. passwords should be locked).
  2. From google search, search for Prsformusic
  3. Click on main results link for Prsformusic.com to go to this web site

Actual results:

Immediately Firefox (version 111.0.1 64bit Win10) pops up Master Password Entry Box (if master password is enabled) before site loads.

Cancelling the Master Password just results in it popping up again, and again and again.

This occurs despite not having any passwords stored within firefox password manager for the prsformusic.com domain?

(Note: I was able to reproduce this result 3 times)

Expected results:

The Master Password Entry Box should not have appeared, as a password for the prsformusic.com domain was not listed.

This is occurring Sunday Night 26/3/2023 22:45h GMT (I can't speak to whether it will remain ongoing, once prsformusic.com discover the compromise when they reopen tomorrow).

I assume this is a new attack on firefox to obtain any stored passwords. And it might be useful to analyse this attack on firefox to prevent this? (Never filed a bug report before)

I'm concerned what would have happened, had I previously entered my Master Password during this browser session.

Summary: prsformusic.com triggers multiple firefox (Win10 111.0.1) master password entry boxes to access passwords, despite no password stored for this domain being stored → prsformusic.com triggers multiple firefox (Win10 111.0.1) master password entry boxes to access passwords, despite no password for this domain being stored in password Manager.
OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Summary: prsformusic.com triggers multiple firefox (Win10 111.0.1) master password entry boxes to access passwords, despite no password for this domain being stored in password Manager. → prsformusic.com triggers multiple firefox (Win10 111.0.1) primary password entry boxes to access passwords, despite no password for this domain being stored in password Manager.

Marcus, thanks for sharing your concern!

Do you have pinned tabs?
Do you use Firefox Account?

These are known to trigger primary password prompts, most likely one of the related bugs is responsible for issue you are observing.

Flags: needinfo?(mb.iphone.uk)
See Also: → 1691817, 1695823, 1714215, 1736922, 1748911

Thanks Sergey, I can confirm that I don't have any pinned tabs, and don't have a firefox account.

Flags: needinfo?(mb.iphone.uk)
Assignee: nobody → sgalich

As far as I can see, the problem is random, I have been unable to reproduce it this afternoon, but it was happening all Monday evening again.

Example screen shots taken from when I click on the google link to PRS.

The primary password box pops up immediately on the existing Google search results page (i.e. before the PRS page even begins rendering). the presence of the primary password (PP) box prevents further page loading, until the PP box is cancelled, or closed. Whereupon the PP box immediately pops up again, and again, and again, interrupting the page download, on each instance.

The number of times the PP box pops up varies randomly. anywhere from approximately 4 - 9 times, before the PRS web page is finally loaded.

The same PP Boxes popping up happens all over again, if you click the 'login' link in the top right hand corner of the PRS web page.

Attached image 2-bugzilla.jpg
Attached image 3-bugzilla.jpg

Is the site trying to do User Authentication with client certs? That's completely separate from passwords, but also protected by the master password. It's used so rarely I can well believe the UX is not that great if the site is insistent on it.

I wonder if it's a legit use of client certs, or some kind of fingerprinting attempt (some browsers used to hand over matching certs when asked, without requiring user confirmation)?

Worth getting to the bottom of, but not a security bug that needs to be hidden.

Group: firefox-core-security

Confirming because Tyson was able to reproduce it easily on this site, and it doesn't happen generally on "sites that have a password field"

Status: UNCONFIRMED → NEW
Ever confirmed: true

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)

This is definitely a problem, but it's not related to logins themselves. Same happens when logins are turned off.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1748911
Flags: needinfo?(sgalich)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: