Closed Bug 693795 Opened 9 years ago Closed 8 years ago
steal the memorized password
I don't understand what the problem is: if you have malicious code running on your site, you've already lost. Of course your site can access the password field!
Not every page has a password field, but if a malicious script creates one Firefox will helpfully fill it in for you. Without that feature attackers would have to actively phish the user into knowingly entering the password (or using something like Opera's wand), and if the user knows they're already logged in that job gets harder. We have a bug on this somewhere. The interim solution is to set the preference signon.autofillForms to false, so users have to interact with a password field before the password manager will fill it in. At that point it can still be stolen, but that's the same as every browser in existence.
Dupe for Bug 534541?
As per comment 3. This bug will only apply when there's an MITM going on, and that's what bug 534541 is about.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 534541
You need to log in before you can comment on or make changes to this bug.