Open Bug 602181 Opened 14 years ago Updated 2 years ago

password exposed in memory cache

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Linux
Type:
defect

Tracking

()

People

(Reporter: sim, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10

If i browse https://username:password@host/ the username and password are visible in the memory cache.

Reproducible: Always

Steps to Reproduce:
Use any url to a webdav share
Actual Results:  
memory cache shows password.

Expected Results:  
memory cache hides password.
Not an exploitable vulnerability that needs to remain hidden.
Group: core-security
The reporter indicated he wants comment 1 hidden.
No, you are misrepresenting me. When i made comment 1, the bug was hidden. I had the expectancy that it would remain hidden, until a solution was found. You excercised your own judgement, and publicized the bug.
the memory cache can be viewed by using the url about:cache?device=memory
Reporter disclosed this on Bugtraq. http://seclists.org/bugtraq/2010/Oct/51
This sounds like a special case of bug 130327. Local attacks just aren't a big part of our threat model. If you don't trust the people you share your computer with then you use Private Browsing or Clear Recent History, or better, use the operating system's facilities for separate user accounts. user:pass info in a URL might be sensitive, but so might other parts of the URLs like query terms, session IDs, etc.

Comment 1 indicates a service out there is using urls of this form and doesn't have another solution. IE doesn't even support this kind of URL so how can they not have another solution?
Status: UNCONFIRMED → NEW
Depends on: 130327
Ever confirmed: true
re: 7, with this kind of reasoning, why do whe still have the master password prompt for the 'show passwords' in 'security'?
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.