Open Bug 674483 Opened 13 years ago Updated 2 years ago

Master password dialog is not related/linked with browser window causing it to open above other windows

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Version:
6 Branch
Type:
defect

Tracking

()

People

(Reporter: u421047, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [psm-backlog]) 

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110721152715

Steps to reproduce:

Start Firefox, Mimimize. Wait.


Actual results:

After a while suddenly a password prompt window appears. There is no hint about Firefox in this dialog. Every application could show that dialog to trick the user into entering the master password.


Expected results:

The master password prompt should be clearly linked with the Firefox window. Best would be no dialog at all, instead show the prompt in the Firefox window itself.
This only happens if for example Sync is enabled and a master password is set.

This bug entry should be about the security risk of spoofing the password dialog from any other application. 

I suggest this improvements:
1. The password dialog should be clearly labeled to which application it belongs to.
2. As suggested in bug 101611, the dialog should have a design which makes harder to reproduce with a simple script.
3. Best would be make the password prompt directly in the Firefox window, without showing a dialog at all.
4. Second best would be a modal dialog which is only shown together with the Firefox window (or a Sheet on Mac).
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
GAH.. sorry you said master password, my mistake...
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Blocks: masterpassword
Component: Security → Security: UI
Product: Firefox → Core
Summary: Master Password Dialog is not Related/Linked with Firefox Window → Master password dialog is not related/linked with Firefox window
OS: Other → All
(In reply to Dana Keeler [:keeler] (use needinfo?) from bug 1288615comment 2)
...
> The issue is that when NSS asks for a password, PSM doesn't know what window
> ultimately caused this to happen, so it opens up a dialog that doesn't have
> a parent, and it appears wherever the OS' window system says it should go.
> We could probably fix all cases of this, but really what we should do is
> have PSM cancel the request in a way that gets back to the originating cause
> so it can tell the front end to ask the user for a password and then retry
> the operation.
Component: Security: UI → Security: PSM
Whiteboard: [psm-backlog]
(Clarifying this bug so I don't mistakenly duplicate the wrong things to it again...)
Summary: Master password dialog is not related/linked with Firefox window → Master password dialog is not visually identified as trusted UI coming from Firefox
(In reply to Tobias from comment #1)
> 1. The password dialog should be clearly labeled to which application it
> belongs to.
This seems now to be looked at in bug 992569
related to bug 306730?
Depends on: 992569
Going back to something closer to the old summary to clarify.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Master password dialog is not visually identified as trusted UI coming from Firefox → Master password dialog is not related/linked with browser window causing it to open above other windows
Are bug 101611 and bug 992569 also simply duplicates?
Blocks: 432020
Severity: normal → S3

The severity field for this bug is relatively low, S3. However, the bug has 6 duplicates.
:keeler, could you consider increasing the bug severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)

The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.

Flags: needinfo?(dkeeler)
See Also: → 1768856
You need to log in before you can comment on or make changes to this bug.