Closed Bug 358327 Opened 18 years ago Closed 18 years ago

To login into Bugzilla, I entered the username (email) and COPIED & PASTED my Password. It is a security flaw and the Password field should not accept copied & pasted/cut & pasted Passwords.

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: rajesh_barde, Assigned: jag+mozilla)

Details

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; InfoPath.1) Build Identifier: To login in to Bugzilla, I needed to enter the Username (email) and Password. I simply copied and pasted the Password sent on to my email. Surprisingly, it accepted. I think the Password field is a vulnerable field for Security. Hence, the user should be able to only enter/type the password. Reproducible: Always Steps to Reproduce: 1. Enter Username 2. Copy & Paste Password 3. Click the Login button Actual Results: After copying and pasting the password in the Password field and clicking the login button, I was logged into my account. Expected Results: After copying and pasting the password in the Password field and clicking the login button, I should not be logged into my account. Copied/Cut & Pasted passwords should not be accepted by the Password field. The Password field should have cleared the password entered and prompted the user to type-in the Password instead.
I don't understand. We shouldn't (and don't) allow passwords to be *copied* from password fields, but we should (and do) allow them to be *pasted*. In any case, this sounds like a browser issue, not a bugzilla issue.
Group: security
I think this is invalid (but I'll let the people who run the product this bug actually belongs in decide that) on grounds that there isn't any security problem here. I fail to see the issue with being able to paste a password. I do see a problem with copying a password that's already hidden (which Firefox doesn't let you do), but you're copying from a cleartext source (which has to be that way or you wouldn't see it to know what it was to type it ;)
Assignee: justdave → jag
Component: Bugzilla: Other b.m.o Issues → XP Toolkit/Widgets
Product: mozilla.org → Core
QA Contact: myk → xptoolkit.widgets
Version: other → 1.8 Branch
Actually, I take that back, I'm going to do it myself anyway. The first comment says you're using IE6. Go tell it to Microsoft. :)
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
Hi, Let me tell you how it is a security issue. Imagine the scenario when I enter the username and copy & paste my password. After I have finished my work and log out, the password is still active and anyone knowing my username can try pasting the password. Doesn't this become a security issue.?
If you share a Windows user account and put your password on the clipboard, then yes, the other person who uses your computer can see your password. But that doesn't mean Firefox should reject pasted passwords; it means you should be careful about how you use the clipboard on computers that are shared insecurely.
Hi Jesse, If you share a Windows user account and put your password on the clipboard, then yes, the other person who uses your computer can see your password. Rajesh wrote: This is enough for security breach, Scenario 1. But that doesn't mean Firefox should reject pasted passwords; it means you should be careful about how you use the clipboard on computers that are shared insecurely. Rajesh wrote: This is enough for security breach, Scenario 2. I am sure everyone is careful about being secure. Knowingly, no one wants to get his/her security breached. But as a worst case scenario, we may neglect being careful and accidents do happen. In such cases, what does one do?
Even if you can't paste your password in Firefox, you can still copy your password into your OS's clipboard, so that doesn't make it any safer. Besides, even if you have your password in your clipboard, how will people know that it's a password, and what it's a password for? Even if people find your password in the clipboard, and know what it's a password for, they can paste it into notepad and then type it in themselves. Your concern about passwords being in the clipboard can only be solved by not having passwords in the clipboard.
(In reply to comment #7) > Your concern about passwords being in the clipboard can only be solved by not > having passwords in the clipboard. I agree. Note that it's the user who copied the password in the first place. And if it happens in an external app, we can't prevent it at all. Our users would be /really/ angry if they can't copy their password from an email for instance, and then paste it in a password textfield. In my company we often have to do that, and the passwords are 128 bytes long, full of gibberish, and impossible to type manually. Maybe we can ask the user after the paste if we can clear the clipboard buffer for him/her, to prevent an accidental paste later. But that sounds like featuritis.
(In reply to comment #7) > Your concern about passwords being in the clipboard can only be solved by not > having passwords in the clipboard. ... and a good way of discouraging putting passwords onto the clip is by removing the incentive to do so. It is too easy to paste into the wrong field, (dragging even worse) videlicet Bug 274773 "Middle-clicking non-hyperlinked areas of a page attempts to load from clipboard" Bug 284321 "Drag and drop text string to viewport goes to google search" Note especially Bug 284321 comment 10 . Pasting into password fields also subverts the check on typos. Using lengthy (or merely strong) passwords and keys puts one into a tiny minority, and this is a genuine case for a preference. By default, pasting should be off w.r.t password fields; and middle mouse pasting and drag and drop on only for bona fide editable text fields. People who need the alternate behaviours are identically the people who know how to set hidden preferences.
You need to log in before you can comment on or make changes to this bug.