Discover.com login reveals user password in plain text in Firefox for Android
Categories
(Fenix :: Browser Engine, defect)
Tracking
(Not tracked)
People
(Reporter: rfarmer84, Unassigned)
Details
Steps to reproduce:
I Found and Reported a Security Vulnerability on Discover Bank’s Mobile Web Site.
I called 1-800-Discover to tell them how to reproduce it and expose the user’s account credentials to anyone with local access to the phone’s Web browser if that browser is Firefox or Fennec on Android.
I noticed this problem several months ago and meant to say something and it still does it.
With Mobile Firefox or Fennec for Android, and your Discover.com login credentials saved, go to Discover.com and tap Log In, then tap the login name for the account you want to log into.
Once you do, the orange button underneath “User ID” and “Password” will change and expose your full password instead of “Log In”.
This appears to only happen in Firefox for Android and not Google Chrome or Vivaldi, so it's possible they're provoking some bug in Gecko that leads to password exposure.
Since I believe the public has a right to know about security issues that software vendors and Web sites have not fixed, and some vendors just sit on them forever and figure it's not a problem as long as it's not widely known, I have already publicly disclosed this problem on my blog as additional incentive for an investigation and proper and timely fix.
Actual results:
The user's login password for their online banking and credit card account is exposed in the orange button that normally says "Log In" as soon as the user autofills the login details, which is a security hazard since anyone with an unlocked phone could just open Firefox and find out what the owner's Discover Bank password is.
Expected results:
The orange box should still say Log In and not the user's password.
|
||
Comment 1•10 months ago
|
||
The severity field is not set for this bug.
:jonalmeida, could you have a look please?
For more information, please visit BugBot documentation.
|
Reporter | |
Comment 2•10 months ago
|
||
Something changed where this no longer occurs if you autofill from Firefox, but if you use Google Password Manager, which interjects on top of Firefox's suggested logins, and use that, the behavior still occurs.
So if Google Password Manager is used (again, it's not made obvious to the user that this is Google, they just shove their own password manager on top of Firefox's), then this is a problem.
|
|
Reporter | |
Comment 3•10 months ago
|
||
I should probably add that in my opinion the correct behavior would be to block Google Password Manager from ever showing up over Firefox as this duplicates Firefox's built-in password manager, is deceptive to the user and is a security hazard to Firefox users.
I think that if possible, Mozilla should do something to suppress Google Password Manager, as I certainly never asked it to pop up and steal my passwords, but they're a bunch of Sneaky Pete's over there and make it seem like it's something from Mozilla.
|
||
Comment 4•6 months ago
|
||
Hey Ryan,
How are you auto-filling using googles password manager? Would it be possible to create a test login and create a video of the steps you're using to reproduce?
|
|
Reporter | |
Comment 5•6 months ago
|
||
Jeff,
Sadly I can only make one account per bank account so I don't believe it would be possible to do a throwaway to demonstrate the problem.
What happens is that if you tap the form for username then Firefox has one password manager and Google overlays the other one (without asking, which I consider a spoofing vulnerability they've deliberately caused), and what happens depends on which password manager the user taps on, which may also have different passwords depending on if the user has changed their Discover password and updated one password manager but not the other.
At the very least this is aggressive and poor design on the part of Google and I think that asking them to knock it off would be appropriate only I do not know where to try to get their attention on this.
Description
•