Open
Bug 674483
Opened 13 years ago
Updated 2 years ago
Master password dialog is not related/linked with browser window causing it to open above other windows
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
NEW
People
(Reporter: u421047, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [psm-backlog])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0 Build ID: 20110721152715 Steps to reproduce: Start Firefox, Mimimize. Wait. Actual results: After a while suddenly a password prompt window appears. There is no hint about Firefox in this dialog. Every application could show that dialog to trick the user into entering the master password. Expected results: The master password prompt should be clearly linked with the Firefox window. Best would be no dialog at all, instead show the prompt in the Firefox window itself.
This only happens if for example Sync is enabled and a master password is set. This bug entry should be about the security risk of spoofing the password dialog from any other application. I suggest this improvements: 1. The password dialog should be clearly labeled to which application it belongs to. 2. As suggested in bug 101611, the dialog should have a design which makes harder to reproduce with a simple script. 3. Best would be make the password prompt directly in the Firefox window, without showing a dialog at all. 4. Second best would be a modal dialog which is only shown together with the Firefox window (or a Sheet on Mac).
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
GAH.. sorry you said master password, my mistake...
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Updated•11 years ago
|
Blocks: masterpassword
Component: Security → Security: UI
Product: Firefox → Core
Summary: Master Password Dialog is not Related/Linked with Firefox Window → Master password dialog is not related/linked with Firefox window
Updated•11 years ago
|
OS: Other → All
Comment 6•8 years ago
•
|
||
(In reply to Dana Keeler [:keeler] (use needinfo?) from bug 1288615comment 2) ... > The issue is that when NSS asks for a password, PSM doesn't know what window > ultimately caused this to happen, so it opens up a dialog that doesn't have > a parent, and it appears wherever the OS' window system says it should go. > We could probably fix all cases of this, but really what we should do is > have PSM cancel the request in a way that gets back to the originating cause > so it can tell the front end to ask the user for a password and then retry > the operation.
Component: Security: UI → Security: PSM
Whiteboard: [psm-backlog]
Priority: -- → P3
See Also: → 741327
(Clarifying this bug so I don't mistakenly duplicate the wrong things to it again...)
Summary: Master password dialog is not related/linked with Firefox window → Master password dialog is not visually identified as trusted UI coming from Firefox
See Also: 741327 →
Comment 10•7 years ago
|
||
(In reply to Tobias from comment #1) > 1. The password dialog should be clearly labeled to which application it > belongs to. This seems now to be looked at in bug 992569
Comment 14•7 years ago
|
||
Going back to something closer to the old summary to clarify.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Master password dialog is not visually identified as trusted UI coming from Firefox → Master password dialog is not related/linked with browser window causing it to open above other windows
Comment 15•7 years ago
|
||
Are bug 101611 and bug 992569 also simply duplicates?
Updated•2 years ago
|
Severity: normal → S3
Comment 18•2 years ago
|
||
The severity field for this bug is relatively low, S3. However, the bug has 6 duplicates.
:keeler, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dkeeler)
Comment 19•2 years ago
|
||
The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.
Flags: needinfo?(dkeeler)
You need to log in
before you can comment on or make changes to this bug.
Description
•