Closed
Bug 508791
Opened 15 years ago
Closed 15 years ago
saved password gets automatically inserted in any password field and can get stolen with simple xss
Categories
(Firefox :: Security, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 408531
People
(Reporter: aluc4rd, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 If Firefox detects an input field with type="password" and a password got saved for the domain Firefox automatically inserts the password. In case of an xss vulnerability on the page, an attacker can add an own hidden form and password input field and just readout it's value via javascript. Of course it is also possible to just use a hidden iframe to access a real password field on the domain (for example if there is a password change function etc). It is similar to normal cookie stealing but of course the effect is way bigger. Reproducible: Always Steps to Reproduce: 1. find a webpage that uses passwords and has a xss vulnerability 2. insert a password field and javascript to readout the password - code example: <form style="visibility: hidden"><input id="pwi" type="password"></form><script>function xsstest() { alert(document.getElementById("pwi").value); } window.onload=xsstest;</script> Best would be to just disable the automatical password insertion by default. Passwords could still get inserted with doing a double click on the login-field and choosing the login name. At least this would make it harder to grab a password with the help of javascript.
Updated•15 years ago
|
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•