Closed
Bug 288275
Opened 21 years ago
Closed 13 years ago
Password fields should use secure input mode to prevent sniffing
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 394107
People
(Reporter: ap, Assigned: dveditz)
Details
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; ru-ru) AppleWebKit/405 (KHTML, like Gecko) Safari/405
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1
Native OS X password controls (Carbon or Cocoa) temporarily enable a so-called secure input mode to
prevent password sniffing. However, Firefox password fields do not, making sniffing possible. This is a
problem with both forms and auth sheets.
Reproducible: Always
Steps to Reproduce:
1. Enable Keyboard Viewer in International control panel
2. Show it (from Keyboards menu)
3. Make a password field active (e.g., go to http://bugreport.apple.com)
4. Type something
Actual Results:
Keypresses are visible in the Keyboard Viewer
Expected Results:
Keyboard Viewer shouldn't see password keys pressed.
Technically, it is very easy to enable/disable secure input mode: EnableSecureEventInput(),
DisableSecureEventInput(), that's all. However, great care should be taken to ensure that secure input
mode gets correctly disabled - because it prevents many accessibility applications from working. It should
be disabled whenever the password control stops being the user input focus for any reason, including:
1) Focus moves to another control
2) Another application is activated
3) A system service such as Dashboard is activated
4) A dialog such as Save As is displayed
Comment 1•21 years ago
|
||
This secure input mode works in native (Carbon and Cocoa) controls, which we're
not using at this moment. EnableSecureEventInput, DisableSecureEventInput, and
IsSecureEventInputEnabled are supposed to help us however, see
<http://developer.apple.com/releasenotes/Carbon/HIToolbox.html>. I've heard of
Jaguar and/or Panther problems though.
| Reporter | ||
Comment 2•21 years ago
|
||
I think that these APIs are only available in 10.3 and higher (at least, they are documented as such). In
10.2, system controls used some private API to achieve a similar result.
I have read about GetKeys() not being completely disabled in some circumstances (http://
lists.apple.com/archives/carbon-dev/2005/Jan/msg00360.html) - are there any other
known problems?
Comment 3•15 years ago
|
||
While "parity with other applications on the platform" probably constitutes a sufficiently good reason, what benefit does this feature provide, exactly? An application running as a given user can't protect itself from other applications running as the same user; this just makes keyloggers marginally more difficult, not impossible. If you have a password sniffing tool running on your system, you've already lost.
Also, marking this as not PowerPC-specific.
Hardware: PowerPC → All
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•