Closed Bug 498293 Opened 16 years ago Closed 16 years ago

Cancelling Master Password Twice Still Logs In

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: hydrocell, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 Without entering the master password, and simply cancelling it once when the page loads, and once again cancelling when pressing "Login", I am able to login to the secure website without ever entering the Master Password. This defeats the purpose of having the master password at all. Have not tested this on other websites yet, but if it works on one, it will work on others. Again, I am able to login with my private Master Password secured credentials without ever entering the Master Password! Reproducible: Always Steps to Reproduce: 1. Go to login web page, asks for Master Password, press 'Cancel'. 2. Press 'Login' buton, prompts for Master Password, press 'Cancel'. 3. I am now logged in...? Actual Results: I was logged into the website without ever entering my Master Password, credentials for the site were pre-filled before I was prompted to enter the MP, and stayed that way even after I pressed cancel. Expected Results: The username/password fields should remain blank/empty until the correct Master Password is entered.
I cannot confirm this behavior. I tested with a new profile and added a single saved password and then added a Master Password. After multiple attempts loading the page and hitting cancel on the resulting dialog, the login and password are never filled into the form fields. What site are you using where you are seeing this behavior?
> Actual Results: > I was logged into the website without ever entering my Master Password, > credentials for the site were pre-filled before I was prompted to enter the > MP, and stayed that way even after I pressed cancel. If the password was filled in before the Master Password prompt then it wasn't Firefox. My first guess would be the site itself, remembering who you were based on cookies. You could test that by clearing your cookies (or at least cookies for that domain) and see if it remembers you next time. Another guess would be some 3rd-party password saver. What add-ons do you have installed?
Daniel Veditz: Okay, I will test it with clearing my cookies. Thanks. Brandon Sterne: The site is listed above in the URL section as: https://www.techbuy.com.au/login.asp
Daniel Veditz: Yeah, you're right, it was the actual site's cookie. Good one, my bad. Should have tested that before filing this report. How do I close this down and mark it as solved?
INVALID?
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Yeah, INVALID works, here. We'd always rather concerned folk tell us when there's a problem and help us solve it so don't feel badly about filing, even if it isn't a Firefox problem in this case. I am going to remove the security-sensitive flag though, since this bug doesn't need to be kept secret.
Group: core-security
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.