Closed Bug 248355 Opened 19 years ago Closed 18 years ago

Data entered in HTML forms on secure pages is not erased

Categories

(Core :: Layout: Form Controls, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: andrew, Unassigned)

References

Details

(Whiteboard: [sg:nse])

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

If sensitive information, such as a credit card number, is entered into
a Web form on a secure site, it is visible in memory after Mozilla exits.
It could then be found by regex search in /dev/mem e.g. "4520[\d]{12}" by
malware running as root, or by nonpriv malware that mallocs a large
amount of memory. Prudent design would suggest that sensitive data be
protected agains swapping by e.g. mlock() and erased after use or
on receipt of a fatal signal.
Erasing displayed "secure" pages might be nice too, but is likely
a more serious performance hit - it might  usefully be a user option.

Reproducible: Always
Steps to Reproduce:
1.Go to a secure page e.g. https://some.org/squirrelmail
2.Compose a message (that will not return to the local PC) with a keyword e.g.
"slartibartfastener"
3.Exit Mozilla
4. as root, execute "strings /dev/mem|grep bartfasten"

Actual Results:  
At least one instance of the full keyword "slartibartfastener" is found

Expected Results:  
The full keyword should not have been found - only the short search term

While I am reporting this using an older version (the last pre-packaged version
that installs on the RedHat 6.2I am still running at home), I am fairly sure
the problem is endemic. I noticed it a few years ago in Netscape and (I think)
reported it at that time.

In other software e.g. "GnuPG" some effort has been made using mlock() (which
requires an suid install) to prevent swapping of sensitive pages, and to 
overwrite allocated memory before exit.

Reportedly some viruses and trojans are now being created with the intention of
collecting information for identity theft and financial fraud. We should not
make it easy for them.
Assignee: general → dveditz
Component: Browser-General → Security: General
QA Contact: general
Clearing security flag, no remote exploit and it's more likely to get attention
as a public bug.
Assignee: dveditz → nobody
Group: security
Status: UNCONFIRMED → NEW
Component: Security: General → Layout: Form Controls
Ever confirmed: true
QA Contact: core.layout.form-controls
Whiteboard: [sg:nse]
Blocks: sg-ff101
Flags: blocking-aviary1.0.1?
minus this for 1.0.1....

if an attacker can get to memory they would have access to all browser data. 
seems unlikely that a fix is possible.
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking-aviary1.0.1? → blocking-aviary1.0.1-
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.