Firefox fills out hidden password fields and fills out password fields without a user interaction requirement
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
People
(Reporter: sectroyer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
855 bytes,
application/zip
|
Details |
Hello.
I have sent you a report but not sure if it was processed correctly as I only received an automated message with information that security issues should be reported using this form. So I attach details once more below. Let me know if you need anything else ? Is XSS example enough or should I provide HTML Injection one as well?
During security audit of a web application we have noticed that in some requests user's password is sent in plaintext. We were surprised as there was no obvious reason for that. After careful investigation we were able to pinpoint it to Firefox’s way of handling saved passwords. In this mechanism there are two security related issues:
- Firefox will fill out any password field on specific domain without users interaction. For example Safari requires users to at least password field to not fill out fields automatically.
- Firefox will fill out any HIDDEN password field on specific domain. This should never happen as there is no particular reason to automatically fill out hidden password fields.
We have prepared two simplified test files (login.html and home.html). After „logging in” and saving password user is redirected to home.html where XSS attack with hidden password field is simulated. User password is automatically „stolen” and displayed using JavaScript alert function. Similar attack might be possible using HTML Injection as user will have no idea that the form he is submitting contains his saved password in hidden field. Also only password can be hidden and rest of the form can be filled out with legitimate data. It can also be a single submit button with one hidden password filed so user will don’t even think of it as a form but rather a regular button.
This issue was found by Michał Majchrowicz & Livio Victoriano AFINE Team.
Regards.
|
||
Comment 1•2 years ago
|
||
Thanks for the report. I'm passing this to the relevant team. Serg, can you take a look?
For example Safari requires users to at least password field to not fill out fields automatically.
This sentence appears to have a verb missing. Reporter, can you clarify what you meant?
Yes it was a typo I meant "[...] Safari requires users to at least click password field [...].
|
||
Comment 3•2 years ago
|
||
sectroyer thanks for sharing your concerns with us!
Hidden inputs definitely needs an improvement, this is tracked in the bug 1783962.
Autofill can be turned off in Settings > Autofill logins and passwords (also see bug 1755724).
|
|
||
Comment 4•2 years ago
|
||
...During security audit of a web application we have noticed that in some requests user's password is sent in plaintext. We were surprised as there was no obvious reason for that. After careful investigation we were able to pinpoint it to Firefox’s way of handling saved passwords. ...
Many web sites send username/password in plain text relying on connection encryption. It's not tied to autofill, the same will happen when user manually type their password. I just tried to inspect network traffic signing in to Facebook and they encrypt password. Signing in to Google and it's sent in plain text.
...Similar attack might be possible using HTML Injection as user will have no idea that the form he is submitting contains his saved password in hidden field. ...
If an attacker can inject their HTML into a form it's "game over". They can just monitor events in the input and steal data even before submission.
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•