Closed Bug 288275 Opened 21 years ago Closed 13 years ago

Password fields should use secure input mode to prevent sniffing

Categories

(Firefox :: Security, defect)

All
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 394107

People

(Reporter: ap, Assigned: dveditz)

Details

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; ru-ru) AppleWebKit/405 (KHTML, like Gecko) Safari/405 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 Native OS X password controls (Carbon or Cocoa) temporarily enable a so-called secure input mode to prevent password sniffing. However, Firefox password fields do not, making sniffing possible. This is a problem with both forms and auth sheets. Reproducible: Always Steps to Reproduce: 1. Enable Keyboard Viewer in International control panel 2. Show it (from Keyboards menu) 3. Make a password field active (e.g., go to http://bugreport.apple.com) 4. Type something Actual Results: Keypresses are visible in the Keyboard Viewer Expected Results: Keyboard Viewer shouldn't see password keys pressed. Technically, it is very easy to enable/disable secure input mode: EnableSecureEventInput(), DisableSecureEventInput(), that's all. However, great care should be taken to ensure that secure input mode gets correctly disabled - because it prevents many accessibility applications from working. It should be disabled whenever the password control stops being the user input focus for any reason, including: 1) Focus moves to another control 2) Another application is activated 3) A system service such as Dashboard is activated 4) A dialog such as Save As is displayed
This secure input mode works in native (Carbon and Cocoa) controls, which we're not using at this moment. EnableSecureEventInput, DisableSecureEventInput, and IsSecureEventInputEnabled are supposed to help us however, see <http://developer.apple.com/releasenotes/Carbon/HIToolbox.html>. I've heard of Jaguar and/or Panther problems though.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I think that these APIs are only available in 10.3 and higher (at least, they are documented as such). In 10.2, system controls used some private API to achieve a similar result. I have read about GetKeys() not being completely disabled in some circumstances (http:// lists.apple.com/archives/carbon-dev/2005/Jan/msg00360.html) - are there any other known problems?
While "parity with other applications on the platform" probably constitutes a sufficiently good reason, what benefit does this feature provide, exactly? An application running as a given user can't protect itself from other applications running as the same user; this just makes keyloggers marginally more difficult, not impossible. If you have a password sniffing tool running on your system, you've already lost. Also, marking this as not PowerPC-specific.
Hardware: PowerPC → All
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.