Firefox fills in passwords on malicious Bugzilla attachment

RESOLVED WONTFIX

Status

()

Toolkit
Password Manager
--
critical
RESOLVED WONTFIX
13 years ago
9 years ago

People

(Reporter: Mark Janssen, Unassigned)

Tracking

({testcase})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [keep hidden until bug 38862 is fixed])

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041223 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041223 Firefox/1.0

(I need to upload a testcase first - I have one but I want to test it here on
bugzilla)

Reproducible: Always
(Reporter)

Comment 1

13 years ago
Created attachment 172914 [details]
testcase - works
(Reporter)

Comment 2

13 years ago
OK it does.
This is a really big bug, which is caused by having firefox fill in passwords on
every form on a subdomain. The testcase will get your bugzilla password if it
was remembered (and it might simply hide the form and submit it to a webpage,
too!) because its also on bugzilla.mozilla.org.
Imagine someone uploading an attachment like this on some forum, or maybe with
some webmail providers!
(Reporter)

Updated

13 years ago
Attachment #172914 - Attachment description: testcase - unsure if it works → testcase - works

Comment 3

13 years ago
note that the bugzilla team is already aware of this problem. given that you
filed this bug about firefox and that as is, it did not affect my seamonkey
browser, i'm not going to cc any bugzilla devs.
Timeless: it definitely works against the Suite, too.

*** This bug has been marked as a duplicate of 38862 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 38862]
(Reporter)

Comment 5

13 years ago
What is the status of bug #38862?

Comment 6

13 years ago
arg. well, it would seem it doesn't work if you don't have mozilla set to
remember your password :)

reporter: were you complaining about firefox or bugzilla? the bug dveditz picked
is a bug about bugzilla and its status is that it's open. if you were trying to
file a bug against the bugzilla product, then you really failed to file it in
the right product.
(Reporter)

Comment 7

13 years ago
It is a bug against the Firefox product, the testcase relates to bugzilla as it
only works on the same domain as where the password was remembered for.

Again: what was the status of bug #38862? I do not have enough permissions to
view it.

Comment 8

13 years ago
reopening. the reporter clearly is filing this bug against firefox. the bug in
question is a bug against bugzilla.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
(Reporter)

Comment 9

13 years ago
As I stated before, this bug can work for theoretically every site, especially
sites everyone can upload files to (forums, bugzilla, webmail services).
One could create an attachment for phpbb (which uses username/password as names
for the respective form input fields) to simply postback the password to their
own site. Javascript can automate this, but this isn't needed: for example they
could create an image button with a small image and tell the user to click it to
enlarge the image (but in fact it will post back the password which was
autofilled in some hidden boxes).
(Reporter)

Updated

13 years ago
Summary: a malicious attachment might allow someone to retrieve stored passwords → [testcase] malicious attachment might allow someone to retrieve stored passwords

Updated

13 years ago
Keywords: testcase
Summary: [testcase] malicious attachment might allow someone to retrieve stored passwords → malicious attachment might allow someone to retrieve stored passwords
Short of turning off the password manager entirely (which the user can do), or
the user not saving passwords for sites that display user-entered content, do
you have any suggestions?

The only thing that comes to mind is replaying the password only for the
specific URL from which it was captured. Or perhaps if the path doesn't match
then treat it as the multiple login case and make the user choose first.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:dupe 38862]
(Reporter)

Comment 11

13 years ago
A few suggestions:
* Save the password per-page and not for the whole domain. The password can only
be captured by hacking the original page then, but that's not an issue.
* Ask for user interaction to fill in a password (confirmation, clicking a
button, filling in the first letter of the username.
(Reporter)

Comment 12

13 years ago
Of course a temporary workaround is disabling the password manager.
(Reporter)

Comment 13

13 years ago
Another method to exploit this is using the 'write contents of the string on the
site' method, like http://www.somesite.com/error.php?error=<h1>404</h1>. By then
putting a simple javascript in the querystring, the password of a user can be
retrieved.

Comment 14

13 years ago
Making password manager per-URL rather than per-(protocol,host,port) would not
prevent XSS holes such as the ones mentioned in comment 2 and comment 13 from
being used to steal passwords stored with password manager.  The attacker would
just have to open the URL of the login form in a frame and then get the password
from the frame.

Wontfix, dup of bug 38862, or dup of bug 263387.  But it should probably stay
security-sensitive until bug 38862 is fixed.
(Reporter)

Comment 15

13 years ago
Hmm true. Then the only solution to treat all forms like multi-username forms or
having the user click a button/confirmation.

Updated

13 years ago
Blocks: 301375

Comment 16

13 years ago
> As I stated before, this bug can work for theoretically every site, especially
> sites everyone can upload files to (forums, bugzilla, webmail services).

Most webmail services avoid having this kind of hole by keeping attachments at a
different hostname or by scrubbing HTML attachments.

> Another method to exploit this is using the 'write contents of the string on the
> site' method, like http://www.somesite.com/error.php?error=<h1>404</h1>.

It is true that many sites have holes like this, but I don't think a change to
password manager (like in bug 263387) is the correct solution.

There are several other ideas for solutions in this bug, which could turn into
new bugs blocking bug 301375.  I'd prefer for that discussion to not take place
in this bug, because this bug discusses a security hole in Bugzilla that is
still hidden.
Status: NEW → RESOLVED
Last Resolved: 13 years ago13 years ago
Resolution: --- → WONTFIX
Summary: malicious attachment might allow someone to retrieve stored passwords → Firefox fills in passwords on malicious Bugzilla attachment
Whiteboard: [keep hidden until bug 38862 is fixed]
(Assignee)

Updated

9 years ago
Product: Firefox → Toolkit
Group: core-security
Assignee: bugs → nobody
Component: Form Manager → Password Manager
QA Contact: form.manager → password.manager
You need to log in before you can comment on or make changes to this bug.