Open
Bug 602181
Opened 14 years ago
Updated 2 years ago
password exposed in memory cache
Categories
(Firefox :: Security, defect)
Tracking
()
NEW
People
(Reporter: sim, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10 If i browse https://username:password@host/ the username and password are visible in the memory cache. Reproducible: Always Steps to Reproduce: Use any url to a webdav share Actual Results: memory cache shows password. Expected Results: memory cache hides password.
Comment 2•14 years ago
|
||
Not an exploitable vulnerability that needs to remain hidden.
Group: core-security
Reporter | ||
Comment 4•14 years ago
|
||
No, you are misrepresenting me. When i made comment 1, the bug was hidden. I had the expectancy that it would remain hidden, until a solution was found. You excercised your own judgement, and publicized the bug.
Reporter | ||
Comment 5•14 years ago
|
||
the memory cache can be viewed by using the url about:cache?device=memory
Comment 6•14 years ago
|
||
Reporter disclosed this on Bugtraq. http://seclists.org/bugtraq/2010/Oct/51
Comment 7•14 years ago
|
||
This sounds like a special case of bug 130327. Local attacks just aren't a big part of our threat model. If you don't trust the people you share your computer with then you use Private Browsing or Clear Recent History, or better, use the operating system's facilities for separate user accounts. user:pass info in a URL might be sensitive, but so might other parts of the URLs like query terms, session IDs, etc. Comment 1 indicates a service out there is using urls of this form and doesn't have another solution. IE doesn't even support this kind of URL so how can they not have another solution?
Reporter | ||
Comment 8•14 years ago
|
||
re: 7, with this kind of reasoning, why do whe still have the master password prompt for the 'show passwords' in 'security'?
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•