Closed Bug 455885 Opened 17 years ago Closed 15 years ago

Password manager and form history: usernames end up in autocomplete history

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: gblott, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Because anything that is entered in a form field gets saved in the clear in the formhistory.sqlite file, the username portion of a typical login page (filled by FF password manager) becomes insecure. It would seem that the intent of encrypting it with the password in password manager storage is to keep it from being stored anywhere in the clear. So if you use the FF password manager, and save form history, while your usernames are encrypted in the signons*.txt file (used by FF password manager), each ends up in clear text in the form history file after a login. It's frustrating that although you're trying to be secure (using encryption), one has to disable a key feature of FF to make this useful! Thus, I think that one or both of the following solutions should be implemented: 1. Encrypt the form history entries (preferred). 2. Separate the form history function from the search history function, so that the form history can be disabled without losing the search history and possibly crippling the "awesomebar". Reproducible: Always Steps to Reproduce: 1. In Tools|Options, enable "remember passwords for sites", and "remember what I enter in forms and the search bar". 2. Enter username and password on any login page. Upon submit, click the button for password manager to remember the login data. 3. Clear saved forms and search history, then verify that formhistory.sqlite doesn't have any login info. 4. Go back to the login page (password manager should fill the username and password) and submit it. 5. Check formhistory.sqlite and note that username is present in clear text. Actual Results: Username was saved in the clear in the formhistory.sqlite file. Expected Results: Hoped that username fill by password manager would be excluded from form history, just as password is.
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE. Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.