Open Bug 1825999 Opened 1 year ago Updated 1 year ago

saved password displayed as suggestion (SECURITY ISSUE)


(Toolkit :: Password Manager, defect, P2)

Firefox 110





(Reporter: mozsupport2019, Unassigned)



(1 file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0

Steps to reproduce:

previously used the suggested password, and slightly edited, saved it for a site.
Now visit the site and arrive at the login page.
click into the password field.

Actual results:

I see three sections displayed in the popup that appears below the password field:

  • the login I saved and the text "From this website" - this is expected and good.
  • "use a securely generated password" and the displayed suggestion is the same as the password that is currently set - this I never ever want to see displayed on the screen unless I asked for it! (masked pink in the screenshot)
  • "View Saved Logins" button - this is expected

Expected results:

  1. either (to me preferably) the "use a securely generated" should not appear if the site I am on already has a saved password. When I revisit a site I already have a stored password for, I am very likely at a login prompt, and not at a "change your password" or "register a new account" page, and being suggested a password is not helpful.
  2. alternatively, the suggestion displayed should be a new random password, and definitely not one that is stored for this or any account! This leaks confidential information to an observer of my browser session and MUST NOT HAPPEN!

( I have not checked "Security" as this is not a vulnerability or issue beyond what the user already observes, so there is no need to hide it and hiding it may only lead to duplicate bug reports.)

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

screenshot of password field popup showing currently set password as generated (masked pink)

Attachment #9326476 - Attachment mime type: application/octet-stream → image/png

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)
Severity: -- → S3
Flags: needinfo?(sgalich)
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.