Closed
Bug 233075
Opened 21 years ago
Closed 21 years ago
Password autofills in cleartext
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 242956
mozilla1.7
People
(Reporter: outzider, Assigned: bryner)
References
()
Details
(Keywords: privacy)
User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Forgive the example, it's a 'save as'd page, for the site in question is still in development and on the internal network. I found this bug by accident, but I could see it being a potential issue. The password autofill feature in Firebird will fill based on keywords. For this site, the username is an email address, and the password is keyed to the email address. After adding a change password field to our add/edit user accounts area, I forgot to make the password field a type of 'password' rather than 'text', and found that when Firebird keyed the 'E-Mail Address' field, filled by the CGI script, it went ahead and filled in the 'Password' field -- in plain cleartext. Not really a good thing. Of course, neither is a password field of a 'text' type, but we're nitpicking. :) Reproducible: Always Steps to Reproduce: 1. Create fields matching already saved password on the same domain. 2. Load page. CGI enters email address in email address field. 3. Profit. Actual Results: Firebird autofilled the password field, displaying my saved password in cleartext. Expected Results: Likely ignored the password field. It's better to be safe than sorry
Comment 1•21 years ago
|
||
This is invalid - if it's not a type "password" then it doesn't involve the password manager. What you're probably seeing is the autocomplete function. I can't even verify this bug such as it is since when I enter a sample password it appears in cleartext. When I submit it I get an error pag.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•21 years ago
|
||
The example page was merely a save as from a project that only works internally. I can put together an actual test case where this will work. If the autofill system is saving fields called 'password', that would still be a problem, wouldn't it?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Assignee | ||
Comment 3•21 years ago
|
||
Confirmed. The field filling logic does not check that the password field has type=password, only that it has the same name as the field the value was saved from.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → Firefox0.9
Comment 4•21 years ago
|
||
That's not an issue of FireFox IMO, but of the webmaster. I don't think IE cares either, but I've never sic'ed it on a badly codded webpage before.
Reporter | ||
Comment 6•21 years ago
|
||
(In reply to comment #4) > That's not an issue of FireFox IMO, but of the webmaster. I don't think IE cares > either, but I've never sic'ed it on a badly codded webpage before. Irrelevant. This was discovered by accident, and would certainly not have a plaintext password in a production environment, but there are plenty of stupid webmasters out there with many naive surfers out there. A web browser should do anything it can to prevent a privacy breach, or we end up just like Microsoft.
Assignee | ||
Comment 7•21 years ago
|
||
This was fixed over in bug 242956. *** This bug has been marked as a duplicate of 242956 ***
Status: NEW → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → DUPLICATE
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•