Closed Bug 408531 Opened 12 years ago Closed 12 years ago
password manager + XSS = disaster
707 bytes, text/html
if password manager remembers a password for a site and if there is a xss hole in site, username & password can easily be stolen. b.m.o is nice example, because it servers arbitrary html, so it is possible to steal saved b.m.o passwords. just make a form with the same fields as the original one and read it with js. this may be a bugzilla bug, so change product if needed. testcase reading saved b.m.o passwords attached.
I'm fairly certain there's a bug about this as a general Bugzilla problem, but I don't think I have access to it. Bug 360493 made this a little more difficult (by checking the action URL), but if you can inject arbitrary JS into the page it's basically already game over, password manager or not... The script could just poll the user/pass fields for value changes, or install an onsubmit handler. Even if the user types their password manually, you'd have it.
Attachment #293355 - Attachment description: passwd2.html - reading saved passwdords and usernames from b.m.o → passwd2.html - reading saved passwords and usernames from b.m.o
The bugzilla bug is bug 38862. Justin's right - once you've succeeded in finding an XSS vulnerability, whether or not the password manager is involved doesn't make much of a difference.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 359675
(In reply to comment #2) > whether or not the password manager is involved > doesn't make much of a difference. > it makes a difference. with autofilled password, the password is stolen silently without user interaction. and the password is more valuable than a simple cookie.
As Justin pointed out in comment 1, there are ways to steal passwords silently without the password manager being involved.
if the password is typed - yes. otherwise how do you steal the password without being typed and without password manager?
(In reply to comment #5) > if the password is typed - yes. otherwise how do you steal the password without > being typed and without password manager? If the password manager doesn't auto-fill, and the password isn't typed in, what's left? Some people have proposed the "wand" UI, like in Opera, or a notification bar button, in the bug this one's duped to. Those still wouldn't help much - as soon as the password is entered the script running on the page can see it, no matter how many hoops the user's had to jump through to get it there.
The argument from comment 3 onward is pointless. Yes, XSS is a problem in its own right, and yes, password autofill makes it worse. This has already been duped to a bug that makes that case. [Gavin: you're missing the point in comment 6. The user never knowingly has to visit the site to have their password stolen with an XSS hole. If they visit a malicious or compromised site it can use the CSS-history trick to scope out likely victims and then steal the password of the target site in a hidden frame. A "wand"-using user, or even a "click to fill-in" one, would be safe from this kind of attack.]
(In reply to comment #7) > [Gavin: you're missing the point in comment 6. The user never knowingly has to > visit the site to have their password stolen with an XSS hole. If they visit a > malicious or compromised site it can use the CSS-history trick to scope out > likely victims and then steal the password of the target site in a hidden > frame. A "wand"-using user, or even a "click to fill-in" one, would be safe > from this kind of attack.] I'm not missing the point - I don't think that the difference in likelihood of password-stealing success between "hidden iframe that pwmgr autofills" and "visible rewritten log-in page where user enters password (using a wand or otherwise)" is great enough to merit the potential usability hit of fixing only the former.
From the standpoint of "I want to steal your GMail account" it might only be a little harder to essentially phish the user into entering the password on a visible form. In contrast the hidden frame attack enables wholesale theft of every interesting password you have at once given the presence of known XSS holes on those sites, and the current belief is that somewhere around 80% of all significant sites have an XSS hole. I guess this argument belongs in the other bug...
completely agree with comment 9
Bug 412437 basically means that if there is a saved doctor.mozilla.org password then defacement of m.o may be possible
(In reply to comment #11) > Bug 412437 basically means that if there is a saved doctor.mozilla.org password (...) Is there any reason why is this bug (RESOLVED FIXED) still inaccessible?
(In reply to comment #13) > Is there any reason why is this bug (RESOLVED FIXED) still inaccessible? No reason. I've just unhidden it, as the issue it discusses has been mitigated.
You need to log in before you can comment on or make changes to this bug.