508791 - saved password gets automatically inserted in any password field and can get stolen with simple xss

Status: RESOLVED DUPLICATE of bug 408531

(Firefox :: Security, enhancement)

Description

[RH]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13

If Firefox detects an input field with type="password" and a password got saved for the domain Firefox automatically inserts the password.

In case of an xss vulnerability on the page, an attacker can add an own hidden form and password input field and just readout it's value via javascript.

Of course it is also possible to just use a hidden iframe to access a real password field on the domain (for example if there is a password change function etc).

It is similar to normal cookie stealing but of course the effect is way bigger.

Reproducible: Always

Steps to Reproduce:
1. find a webpage that uses passwords and has a xss vulnerability
2. insert a password field and javascript to readout the password - code example:
<form style="visibility: hidden"><input id="pwi" type="password"></form><script>function xsstest() { alert(document.getElementById("pwi").value); } window.onload=xsstest;</script>



Best would be to just disable the automatical password insertion by default.
Passwords could still get inserted with doing a double click on the login-field and choosing the login name.

At least this would make it harder to grab a password with the help of javascript.