Closed Bug 233075 Opened 21 years ago Closed 21 years ago

Password autofills in cleartext

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 242956
Milestone:
mozilla1.7

People

(Reporter: outzider, Assigned: bryner)

References

(
URL
)

Details

(Keywords: privacy) 

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Forgive the example, it's a 'save as'd page, for the site in question is still
in development and on the internal network. I found this bug by accident, but I
could see it being a potential issue.  The password autofill feature in Firebird
will fill based on keywords.  For this site, the username is an email address,
and the password is keyed to the email address.  After adding a change password
field to our add/edit user accounts area, I forgot to make the password field a
type of 'password' rather than 'text', and found that when Firebird keyed the
'E-Mail Address' field, filled by the CGI script, it went ahead and filled in
the 'Password' field -- in plain cleartext.   Not really a good thing.  Of
course, neither is a password field of a 'text' type, but we're nitpicking. :)

Reproducible: Always
Steps to Reproduce:
1. Create fields matching already saved password on the same domain.  
2. Load page. CGI enters email address in email address field.
3. Profit.

Actual Results:  
Firebird autofilled the password field, displaying my saved password in cleartext.

Expected Results:  
Likely ignored the password field.  It's better to be safe than sorry
This is invalid - if it's not a type "password" then it doesn't involve the
password manager. What you're probably seeing is the autocomplete function.

I can't even verify this bug such as it is since when I enter a sample password
it appears in cleartext. When I submit it I get an error pag.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
The example page was merely a save as from a project that only works internally. I can put together an 
actual test case where this will work.  If the autofill system is saving fields called 'password', that would 
still be a problem, wouldn't it?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Confirmed.  The field filling logic does not check that the password field has
type=password, only that it has the same name as the field the value was saved from.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → Firefox0.9
That's not an issue of FireFox IMO, but of the webmaster. I don't think IE cares
either, but I've never sic'ed it on a badly codded webpage before.
Sounds related to Bug 217018
(In reply to comment #4)
> That's not an issue of FireFox IMO, but of the webmaster. I don't think IE cares
> either, but I've never sic'ed it on a badly codded webpage before.

Irrelevant.  This was discovered by accident, and would certainly not have a
plaintext password in a production environment, but there are plenty of stupid
webmasters out there with many naive surfers out there.  A web browser should do
anything it can to prevent a privacy breach, or we end up just like Microsoft.
Keywords: privacy
This was fixed over in bug 242956.

*** This bug has been marked as a duplicate of 242956 ***
Status: NEW → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.