Closed Bug 284070 Opened 20 years ago Closed 20 years ago

a security flaw when a dialog launched from JavaScript can be considered FF native by the user

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 64676

People

(Reporter: max.vlasov, Assigned: bryner)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

I created a page from which the flaw can be seen

http://maksee.narod.ru/temp/input.htm

The problem is that javascript's prompt() dialog looks exactly the same as the
one popped up by Software Security Device so a 3rd part can have access to the
master password and user even could not notice this. 

Reproducible: Always

Steps to Reproduce:
1. Create an empty html page
2. Insert the text |<script>prompt("Please enter the master password for the
Software Security Device")</script>| inside
3. Open the page

Actual Results:  
A dialog that looks like the native prompting for Master password

Expected Results:  
I suppose that the native dialog should look a little differently, for example
it may contain an absolutely different icon so the user at least pay some
attention to how the dialog looks

*** This bug has been marked as a duplicate of 64676 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.