Cookies allow to access stored passwords

VERIFIED DUPLICATE of bug 184436

Status

()

Firefox
Address Bar
--
critical
VERIFIED DUPLICATE of bug 184436
16 years ago
15 years ago

People

(Reporter: Nicolas PENINGUY, Assigned: Joe Hewitt (gone))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021214
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5

A website can read stored passwords using cookies.


Reproducible: Always

Steps to Reproduce:
1. rm -rf ~/.phoenix
2. go to http://www.lfmm.org/phoenix/
3. Enter login "tagada" and password "tsointsoin", check Use password manager...
4. go to http://perso.club-internet.fr/hcheli/

Actual Results:  
On the page you can read "Bonjour tsointsoin".

Expected Results:  
The site should ask your name.

Comment 1

16 years ago
Same on windows with build Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.3a) Gecko/20021207 Phoenix/0.5

Comment 2

16 years ago
I can reproduce the bug on Windows 2000, running Phoenix 0.5
OS-> ALL
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5

I can read "Bonjour tsointsoin !
Cela fait 2 fois que vous surfez sur cette page."

('tsointsouin' being the password I entered on previous site)

This is a serious security issue. Thanks to Nicolas for reporting the bug and
Laurent for re-creating the first web site so we can reproduce the bug faster.

Confirming.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Is this perhaps a dupe of bug 184436?

Comment 4

16 years ago
Yes, dupe.

Please always try to reproduce the bug with the latest nightly before filing it.

*** This bug has been marked as a duplicate of 184436 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE

Comment 5

15 years ago
verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.