Closed Bug 693795 Opened 9 years ago Closed 8 years ago

steal the memorized password

Categories

(Firefox :: Security, defect)

x86
All
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 534541

People

(Reporter: admin, Unassigned)

Details

The vulnerability can steal the memorized password from the authorization form (common domain on a site with malicious code and on the site with the authorization form (same origin policy) ).

Firefox 3.6.13 .. 7.0.1, 10.0a1 nightly
Chrome 14.0.835.202 m
Operating System: Windows 7
		  Windows XP SP3 Pro

//Example in jQuery:
<iframe src="/admin" id="frame" style="display:none;"></iframe>
<script type="text/javascript"> 
$(document).ready(function(){
$('#frame').load(function(){
var pass = $('#frame').contents().find('input[name="password"]').val();
alert(pass); // (or send a crossdomain JSONP request)
});
}); 
</script>
I don't understand what the problem is: if you have malicious code running on your site, you've already lost. Of course your site can access the password field!
Not every page has a password field, but if a malicious script creates one Firefox will helpfully fill it in for you. Without that feature attackers would have to actively phish the user into knowingly entering the password (or using something like Opera's wand), and if the user knows they're already logged in that job gets harder.

We have a bug on this somewhere. The interim solution is to set the preference signon.autofillForms to false, so users have to interact with a password field before the password manager will fill it in. At that point it can still be stolen, but that's the same as every browser in existence.
Group: core-security
Whiteboard: DUPEME
Dupe for Bug 534541?
As per comment 3.

This bug will only apply when there's an MITM going on, and that's what bug 534541 is about.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 534541
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.