635439 - Remove doorhanger key icon when "Not now" is selected in Password Save doorhanger

Status: NEW

(Firefox :: Security, defect)

Description

[Benjamin Xiao]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; rv:2.0b12pre) Gecko/20110218 Firefox/4.0b12pre
Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.0b12pre) Gecko/20110218 Firefox/4.0b12pre

In Fx4, you can no longer choose "Don't Save" when it asks you whether you want to save your password. You can only hide the doorhanger notification not dismiss it completely. This is a huge attack vector because other users can click on the doorhanger key icon, save the password, and then view what the password is in the password manager.

The behavior of the "Not Now" option in the doorhanger submenu should be changed to "Don't Save', where any password information that Firefox was about to save is DELETED and the doorhanger key icon is REMOVED.

Here's two usage scenarios that I see where the lack of "Don't Save" is
severely detrimental. Let's say that a user is using a public computer and
needs to print an email. He leaves the computer to retrieve the pages he's
printed.

*Without "Don't Save"
1.) User logs in to email.
2.) He sees Password Save doorhanger. Dismisses (hides) it because he does not
want to save password.
3.) Prints email and leaves computer to retrieve pages from printer.
4.) ATTACK VECTOR: Another user reopens doorhanger, saves password, opens
Password Manager, writes down password.

*With "Don't Save"
1.) User logs in to email.
2.) He sees Password Save doorhanger. Selects "Don't Save For Now". Doorhanger
completely disappears.
3.) Prints email and leaves computer to retrieve pages from printer.
4.) ATTACK PREVENTED: Another user sees email account is open, but can not reopen the doorhanger and access password. The worst he can do is send insulting emails to your
girlfriend, but at least your password is safe.

I really hope this makes it clear why this feature is needed. This is a huge
security hole for people using Firefox in Internet cafes or public schools.
This is also a huge regression in functionality from Fx 3.6, which did offer a
"don't save for now" option in the form of the X button.



Now before you WONTFIX this, let me refute all of the reasons against this that I've heard so far.

1.) Adds UI Clutter.

We already have a "Not Now" option that currently just hides the doorhanger. This is redundant since users can already hide the doorhanger by clicking on the X button or on web content. Redundancy is UI clutter. Let's change this option to behave like "Don't Save" and make it useful.


2.) Set a master password.

This option might work for private computers, but it is completely invalid for public computers. Why would you set a master password on a public computer?


3.) Just select "Never Remember Password For This Site".

Just because I don't want my password saved doesn't mean that I should decide that other users can't save their passwords on that site.


4.) If you don't trust the computer you're using, it's already Game Over. For all
you know they're running a modified Firefox that steals your password. But
other workarounds would be to close the tab, or better yet start Private
Browsing mode.

Not a valid argument. This is like saying a computer might have a keylogger and
therefore we should make Firefox save all passwords because it is unavoidable
anyways. We're not talking about modified versions of Firefox here. We're
talking about a flaw that makes it damned easy for people with UNMODIFIED
versions of Firefox to steal YOUR personal info. Firefox, being a safe and
secure browser, should not in anyway AID in the stealing of passwords.



Reproducible: Always

Comment 1

[alex_mayorga]

I can confirm the problematic behavior on Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12pre) Gecko/20110218 Firefox/4.0b12pre ID:20110218045138

Comment 2

[Jim Jeffery not reading bug-mail 1/2/11]

Confirming this bug - key hangs around when dismissed rather than saving password allowing user to -revisit/enable an password.

Comment 3

[Johnathan Nightingale [:johnath]]

Not WONTFIXING yet, but this is not a blocker.

Comment 4

[alex_mayorga]

(In reply to comment #3)
> Not WONTFIXING yet, but this is not a blocker.

Can you please explain the rationale to WONTFIX? This is equivalent to people inadvertently writing passwords on a post-it note and sticking it to their monitors.