Closed
Bug 288275
Opened 19 years ago
Closed 12 years ago
Password fields should use secure input mode to prevent sniffing
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 394107
People
(Reporter: ap, Assigned: dveditz)
Details
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; ru-ru) AppleWebKit/405 (KHTML, like Gecko) Safari/405 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 Native OS X password controls (Carbon or Cocoa) temporarily enable a so-called secure input mode to prevent password sniffing. However, Firefox password fields do not, making sniffing possible. This is a problem with both forms and auth sheets. Reproducible: Always Steps to Reproduce: 1. Enable Keyboard Viewer in International control panel 2. Show it (from Keyboards menu) 3. Make a password field active (e.g., go to http://bugreport.apple.com) 4. Type something Actual Results: Keypresses are visible in the Keyboard Viewer Expected Results: Keyboard Viewer shouldn't see password keys pressed. Technically, it is very easy to enable/disable secure input mode: EnableSecureEventInput(), DisableSecureEventInput(), that's all. However, great care should be taken to ensure that secure input mode gets correctly disabled - because it prevents many accessibility applications from working. It should be disabled whenever the password control stops being the user input focus for any reason, including: 1) Focus moves to another control 2) Another application is activated 3) A system service such as Dashboard is activated 4) A dialog such as Save As is displayed
Comment 1•19 years ago
|
||
This secure input mode works in native (Carbon and Cocoa) controls, which we're not using at this moment. EnableSecureEventInput, DisableSecureEventInput, and IsSecureEventInputEnabled are supposed to help us however, see <http://developer.apple.com/releasenotes/Carbon/HIToolbox.html>. I've heard of Jaguar and/or Panther problems though.
Reporter | ||
Comment 2•19 years ago
|
||
I think that these APIs are only available in 10.3 and higher (at least, they are documented as such). In 10.2, system controls used some private API to achieve a similar result. I have read about GetKeys() not being completely disabled in some circumstances (http:// lists.apple.com/archives/carbon-dev/2005/Jan/msg00360.html) - are there any other known problems?
Comment 3•13 years ago
|
||
While "parity with other applications on the platform" probably constitutes a sufficiently good reason, what benefit does this feature provide, exactly? An application running as a given user can't protect itself from other applications running as the same user; this just makes keyloggers marginally more difficult, not impossible. If you have a password sniffing tool running on your system, you've already lost. Also, marking this as not PowerPC-specific.
Hardware: PowerPC → All
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•