Closed Bug 1875616 Opened 2 years ago Closed 2 years ago

"Use a securely generated password" option used a pre-existing password

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 121
Platform:
Desktop
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1551723

People

(Reporter: sadegh.kazemy, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

Screenshot 2024-01-20 at 10.04.51.png
401.57 KB, image/png
Details

Hello,

I ran into a security issue where I wanted to get a secure generated password from firefox in the password field, but it only offers existing saved passwords!

I have two skype accounts, usernames and passwords saved. I wanted to change one, and I noticed firefox is not actually generating a new secure password, rather it's offering the password to the other account! Attached a screenshot.

Here is some info that might help you:

This happened on Microsoft / Skype site
Had two different saved username and passwords
Mac OS 14.2.1 (23C71)
Firefox: 121.0.1 (64-bit)

Let me know if you need more info on this

Flags: sec-bounty?
OS: Unspecified → macOS
Hardware: Unspecified → Desktop
Version: unspecified → Firefox 121
Component: Security → Password Manager
Product: Firefox → Toolkit

Updating the summary to be more specific. Adjust as needed.

Summary: A security bug in password generator on Firefox → "Use a securely generated password" option used a pre-existing password

Firefox will keep the same generated password for a given site as long as Firefox is running. In other words, if you:

  1. start Firefox
  2. go to example.com (or whatever domain)
  3. use a generated password on that site
  4. time passes, while Firefox keeps running
  5. go to example.com again and generate another password

then the password in step 3 and 5 will be the same. This is a known issue with how generated passwords work right now.

Is it possible this is what happened here? (id est, you'd already used the generated password at some point for the "other account")

Flags: needinfo?(sadegh.kazemy)

Hi Gijs, based on what you've described I think this is very likely the same issue that you mentioned.

Flags: needinfo?(sadegh.kazemy)

I just upgraded to Firefox 122.0 and the issue is fixed.

Thanks for the quick comment! When you restarted to update, that will have reset the password Firefox generated for that site.

The reason Firefox keeps the password in memory is that it's not always obvious when the password is definitely "used" - sometimes there is a "confirm your new password" field, or you have to log in again after confirming your email etc. (and not everyone would have saved the password immediately)

Of course, the flip side as you noted here is that not getting rid of the password until the browser is restarted is also confusing / can lead to password reuse.

We're tracking improving this in bug 1551723.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1551723
Resolution: --- → DUPLICATE
Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: