Closed Bug 271154 Opened 20 years ago Closed 20 years ago

Undo should not work in password fields

Categories

(Core :: Layout: Form Controls, defect, P2)

Product:
Core
Component:
Layout: Form Controls
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8alpha6

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: csectype-disclosure, sec-low)

Attachments

(1 file)

Like so
1.21 KB, patch
dbaron
: review+
dbaron
: superreview+
Details | Diff | Splinter Review 
1. Type into a password field.
2. Clear the field using backspace.
3. Ctrl+Z.

Result: password reappears.

Expected: Ctrl+Z in a password field should clear the field like it does in IE.
Need more details from Jesse, but my best guess for a vulnerable scenario is in
an internet cafe where someone walks away from a screen where they've changed
their minds about logging in, thinking clearing the field is enough to make them
safe.

Undo for text fields is enough of a stealth feature that I'd have to side with
the average user's expectation. If the site thinks the contents are sensitive
enough to prevent shoulder-surfing then we should prevent replays.

I don't think this needs the security-sensitive flag though (unless I'm missing
something), it's not a remote attack where obscurity is buying us time to fix.
Whiteboard: [sg:fix]
Right, the Internet cafe vulnerabilty scenario you described is the one I was
thinking of.  Making public.
Group: security
This bug probably needs a real owner too, right?
Editor provides an API for this already; password fields should just use it.
Assignee: mozeditor → nobody
Component: Editor → Layout: Form Controls
OS: Windows XP → All
QA Contact: bugzilla → core.layout.form-controls
Hardware: PC → All
Version: 1.7 Branch → Trunk
Attached patch Like soSplinter Review 

    
  

        Attachment #167895 -
        Flags: superreview?(dbaron)

        Attachment #167895 -
        Flags: review?(dbaron)

        Attachment #167895 -
        Flags: superreview?(dbaron)

        Attachment #167895 -
        Flags: superreview+

        Attachment #167895 -
        Flags: review?(dbaron)

        Attachment #167895 -
        Flags: review+

    
  
Assignee: nobody → bzbarsky

    
    

    
  
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8alpha6

    
    

    
  
(In reply to comment #0)
> 1. Type into a password field.
> 2. Clear the field using backspace.
> 3. Ctrl+Z.
> 
> Result: password reappears.
> 
> Expected: Ctrl+Z in a password field should clear the field like it does in IE.

Huh?  Ctrl+Z works just fine in a password field (eg. hotmail.com) for me in IE
6.  Now we're inconsistent with IE, with password dialogs, and (using my OS as a
reference) with password fields in Windows.

    
    

    
  
Dean is right about IE's behavior and I was wrong.  Undo *does* work in password
fields in IE.  The difference that made me think it didn't work is that IE
treats typing+backspacing as a single action for undo.  If the password field
loses and regains focus between typing and backspacing, you can undo the
backspacing in IE.

I still think it's good to disable undo in password fields for the security
reasons mentioned.

    
    

    
  
In situations like this in the past, where we want to do one thing but the
platform standard is another, we've tried to be consistent with the platform
have we not?

    
    

    
  
Except where overridden by serious considerations.... e.g. if the platform
standard is to crash, we have striven to not follow it... ;)

In this case, I think the security considerations are serious enough.

    
    

    
  
(In reply to comment #10)
> Except where overridden by serious considerations.... e.g. if the platform
> standard is to crash, we have striven to not follow it... ;)

Damn inconsistencies. ;)

> In this case, I think the security considerations are serious enough.

All right.  I'm sure I'll get used to it.  I just don't recall this ever being
raised as a security concern in Windows nor in IE.

    
  
Keywords: csec-disclosure, 
          
            sec-low
Whiteboard: [sg:fix]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: