Closed Bug 351700 Opened 18 years ago Closed 18 years ago

Cross-Site autocompletion/attribute-storage security issue (even under https, with autocomplete="OFF" on the <form>)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 350785

People

(Reporter: jmartin, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 (Debian-1.5.dfsg+1.5.0.6-3) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 (Debian-1.5.dfsg+1.5.0.6-3) Firefox's autocompletion is storing sensitive data which should not be stored, such as account numbers, logins, credit card numbers, etc. An example is if I log in to my BOA account (or even just enter a bogus Login ID and submit), it will not autocomplete on HTTPS as expected, but if I create a form with the same name/id value for a input tag, it autocompletes from the original site regardless of autocompletion definitions, https, or other attempts to block this information from being transferable. Reproducible: Always Steps to Reproduce: 1. Go to bankofamerica.com (or any secure login site with or without an autocomplete attribute) and enter a bogus login and submit. 2. Create a html file locally with the same element name/id (onlineID) and open it. 3. Press the first letter of the bogus login you entered earlier Actual Results: The autocompletion shows the login from another website (even with no caching, autocomplete, or under https) Expected Results: HTTPS or autocompletion attributes should not store the field data locally, and/or should not provide autocompletion from other websites (especially secure sites). Nothing should have appeared (nor been stored) regardless of the autocomplete attribute on the field. I tested this same example with Konqueror and it behaved as expected, not saving nor providing autocompletion information from the other secured site.
Can you please give the exact URL of the BOA login page you used, and attach to this bug the HTML page you created with similar IDs? Thanks, Gerv
there's nothing inherently super secret in this bug. i'd rather it be open so people can comment. note that you're reporting a bug based on a debian build. having just looked at the patch, i really don't want to hear about it. please test with a standard mozilla.org build of firefox (you're free to build it yourself or download from mozilla.org), don't install it globally, just expand it into ~/Desktop/firefox-test from an xterminal, do: MOZ_NO_REMOTE=1;./firefox -p select create profile, create a new profile. test here. this will give you a profile that should have no extensions. if you can't reproduce with this profile with no extensions, you'll have to chase through your extension list.
Group: security
With a 20060917 trunk build and fresh profile, if I go to https://sitekey.bankofamerica.com/sas/signon.do?&detect=3 and select Oregon, then on the next page with the "Enter Online ID:" form (autocomplete="OFF" on the form), enter |bogus123| in the form, then open a new tab and go to data:text/html,<input name="onlineID"> and type |b|, I get "bogus123" autocompleted. Whether that's okay, evil, their fault, I dunno, but it's certainly surprising.
Phil: the onlineID <input> field on this page: https://sitekey.bankofamerica.com/sas/signonScreen.do?state=OR does _not_ have the "autocomplete=off" attribute. So Firefox is, quite rightly, holding on to the data. Gerv
<form name="signonForm" method="post" action="/sas/signon.do" autocomplete="OFF"> ... <input type="text" maxLength=32 name=onlineID size=42 id=onlineID value="" class=text1> Are you saying that they, and I, and our documentation, and everyone else's documentation, are all wrong? Or case-sensitive?
Phil: sorry, my mistake. I forgot it could also apply to <form> elements. Having done some more research, I believe this is a duplicate. Gerv *** This bug has been marked as a duplicate of 198419 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Summary: Cross-Site autocompletion/attribute-storage security issue (even under https) → Cross-Site autocompletion/attribute-storage security issue (even under https, with autocomplete="OFF" on the <form>)
Indeed, but not of that, unless you're also going to unfork wallet and satchel, and move all the Firefox : Form Manager bugs over there.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
*** This bug has been marked as a duplicate of 350785 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.