Closed Bug 501000 Opened 15 years ago Closed 14 years ago

Seamonkey reveals first wallet password to websites due to javascript flaw

Categories

(SeaMonkey :: Security, defect)

Product:
SeaMonkey
Component:
Security
Version:
SeaMonkey 1.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: ChrisGri, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

From dict.leo.org, you can install a special javascript "bookmarklet", allowing to translate words simply by mark&click. If you mark a word and click the bookmarklet, a separate window with the translation is opened.
But if you don't have a word marked, the javascript code somehow delivers the Master Password of the "Software Security Device" to the website!! 

The bookmarklet's code is
javascript:s=(window.getSelection?window.getSelection():document.getSelection());if(s==''){if(window.getSelection){if(frames.length!=1){for(i=0;i<frames.length;i++){s=frames[i].document.getSelection();if(s)break;}}}}if(s=='')void(s=prompt('Enter%20a%20search%20term%20or%20select%20the%20text%20you%20want%20to%20translate%20before%20clicking%20on%20LEOdict.',''));if(s){leow=open('http://dict.leo.org/?lp=ende&search='+escape(s),'LEODict','width=750,height=550,scrollbars=yes,resizeable=yes');leow.focus();}



Reproducible: Always

Steps to Reproduce:
1. define a Master Password for the Software Security Device
2. install the above bookmarklet, restart browser
3. use the master password at least once
3. while not having marked a word on the current web page, click the above bookmarklet
4. you see your Master Password sent to the dict.leo.org for translation
Actual Results:  
The separate "dict.leo.org" window appears, bearing prominently the Master Password for translation, as if it was a marked word on your web page.

Expected Results:  
Instead of sending my Master Password, a box should appear with the "Enter search term or select the text you want to translate before clicking on LEODict." message.

Somehow, Seamonkey's javascript implementation appears to have a flaw of sending the Master Password to URLs asking for a "marked" word, when in fact no word is marked yet. It may well be that the Master Password somehow ends up in Seamonkey's internal clipboard (where normally a marked word is put into).
Version: unspecified → SeaMonkey 1.1 Branch
We've had similar complaints about the prompt() function in the past... let's see if we can reproduce it this time so we can fix it.
The real question is: what browser code is storing the Master Password?
NSS itself does not store it.  Any code that rightfully gets it (e.g. a 
Master Password prompt) should use it, and then immediately ensure that 
it is overwritten.
Neil, do you have a clue what's up there?
My wild guess currently is that wallet is somehow confusing the prompt from the bookmarklet with the prompt for the master password.
(In reply to comment #1)
> We've had similar complaints about the prompt() function in the past... let's
> see if we can reproduce it this time so we can fix it.
I haven't been able to reproduce this with my week-old local 1.1.17pre build.
I would be surprised if it is truly the Master Password -- that is not stored anywhere. What has been reported in the past against the old wallet password manager was that it filled in whatever happened to be the first stored password in the wallet *.s file.

If it _is_ the master password then do you have any 3rd party password manager running on your machine? Either a Firefox-specific add-on or a separate utility program?

Christian:
1) what add-ons do you have installed? These are listed in the Add-ons dialog on the Tools menu.
2) what programs are currently running on your machine? Ctrl-Shift-Esc will bring up the windows task manager. Switch to the "Processes" tab and tell us what's in there. (A utility of the sort I suspect wouldn't show up on the shorter Applications list, unfortunately.) Alternately, if you look through the various icons in the lower-left windows task bar you may find one for such a utility.
Whiteboard: [sg:needinfo][needs answer to comment 6 from reporter]
(In reply to comment #6)
> 1) what add-ons do you have installed? These are listed in the Add-ons dialog
> on the Tools menu.
Sadly 1.1.17 doesn't have the Extension Manager yet...
Hi all,

@Daniel: you appear to be quite right - I've changed my master password and the then-revealed one was still the "old". So I suppose it's sending the first password it happens to find in the wallet. And it happened this one to be the same as my master password, uh oh..

No, I don't have any other password manager running at the same time.

Extensions installed: EnigMail 0.95.7 and ADBlockPlus 1.0.2 - but the password-sending has also happened before installing them.

And I might have made this more clear - the issue does not happen everytime! Sometimes I startup Seamonkey and click the translate bookmarklet and it asks me (correctly) what word I'd wanted to be translated. But every now and then, it sends the ominous "first" password...

Thanks a lot!
So, should the title of this bug be changed to:
   Seamonkey reveals first wallet password to websites?
(In reply to comment #9)
> So, should the title of this bug be changed to:
>    Seamonkey reveals first wallet password to websites?
Yes, I fully agree - but cannot change the heading myself, as in my form I could only add an alias...
Summary: Seamonkey reveals Master Password to websites due to javascript flaw → Seamonkey reveals first wallet password to websites due to javascript flaw
Hey all,

just wondering why the whiteboard still shows "needs answer to comment 6 from reporter" and whether this might really be what the bug is waiting for currently... But I've answered #6 by Daniel with my #8 though not having clicked "Reply". Can I do something else to help?
We have EOLed SeaMonkey 1.x now, so I'm closing this bug, but we'll keep it closed to not expose users still on that now unmaintained series to attacks.

The new login manager used in SeaMonkey 2.0 doesn't have this problem, as far as we know, and wallet is now dead for good.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Whiteboard: [sg:needinfo][needs answer to comment 6 from reporter] → [sg:needinfo]
Group: core-security
You need to log in before you can comment on or make changes to this bug.