If one Username with Password is stored, you can read it by javascript

RESOLVED DUPLICATE of bug 653132

Status

()

Toolkit
Password Manager
--
enhancement
RESOLVED DUPLICATE of bug 653132
5 years ago
4 years ago

People

(Reporter: Frank, Unassigned)

Tracking

({privacy})

14 Branch
privacy
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

in my website i save username and password. then i log out, change my ip, delete cookies, and go back on the site. 
on the form there stand my username and password, and my javascript read this out and let me know who is on the site(you are not logged in) 






Expected results:

prefilled formulars shouldn't able to read out
(Reporter)

Comment 1

5 years ago
i don't know if you can read prefilled formular by javascript in internet explorer , chrome , opera , safari too
(Reporter)

Comment 2

5 years ago
http://83f.de/information/Example.html 

register your name. then go away and come again , click who am i
(Reporter)

Comment 3

5 years ago
windows firefox, too . only one user and password should be save at homepage, if 2 this easy to use javascript won't work, maybe there's an ohter workaround
(Reporter)

Updated

5 years ago
Keywords: privacy
OS: Linux → All
Hardware: x86 → All
(Reporter)

Updated

5 years ago
Severity: normal → major
Group: core-security
Not a security issue.
Group: core-security
(Reporter)

Comment 5

5 years ago
Created attachment 769099 [details]
Prefilled Formulars can read by Javascript
(Reporter)

Comment 6

5 years ago
Comment on attachment 769099 [details]
Prefilled Formulars can read by Javascript

It is a prefilled Formular
Attachment #769099 - Attachment filename: Bildschirmfoto.png → Screen.png
(Reporter)

Comment 7

4 years ago
Created attachment 769465 [details]
Not only username, its possible to read password, too

Very easy steps to read out prefilled username and password
(Reporter)

Comment 8

4 years ago
if you use an external script like

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript">

you give also google the ability to read out the form data.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 359675
(Reporter)

Comment 10

4 years ago
"The duplicate" is fixed in year 2008
https://bugzilla.mozilla.org/show_bug.cgi?id=359675

This bug ist new, and is not fixed, so don't mark it as duplicate.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
You can already enable the settings added by bug 359675 ("signon.autofillForms") because it is already fixed.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 359675
(Reporter)

Comment 12

4 years ago
You are right: In about:config i can set signon.autofillForms to false 

Do you think, every user of firefox should go to about:config for setting signon.autofillForms to false?

I don't think that is a solution!

I see three possibilites:
1.) Firefox put signon.autofillForms settings with the next update standard to false
2.) Someone invest time and develop a new method for secure prefilled forms (i prefer)

and number three, your possibilite:
3.) I should go to settings and switch the autofillForms to false; every else who don't look at this thread can share his private data to those, who know and use this bug

Is this your and/or firefox security policy? - I hope not

And please do not mark this as a duplicate entry of https://bugzilla.mozilla.org/show_bug.cgi?id=359675, this error here does not deal with xss, this error here is simple javascript, which can easily exploit by everyone.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
(Reporter)

Comment 13

4 years ago
After a few weeks this bug still exists and nobody do something.

This bug is now confirmed.
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Hi Frank. Looks like it's been a while and I can see the history of disagreement on the discussion here over what the default behavior should be. It does seem like an issue that should be clarified in descriptions of privacy settings. For now, you might want to try using Private Browsing windows when you log in to sensitive sites on computers you don't have control over.
Severity: major → enhancement
See Also: → bug 653132
(Reporter)

Comment 15

4 years ago
Yes, thats the same error and nothing done yet since 2011 :-) 

If i have a selectbox of 2 saved username and select one, the password is filled and can also read out.

This Bug is not useable by a little man but for Facebook and Co., which are on many Homepages (intergrated by JAVASCRIPT!!!)

This is fatal!
That's how password fields work, this isn't a bug. Of course the web pages can read what you (or the browser) types into it, some pages require this.

Even if you disagree on that point, if a web page wanted to trick the user it could just implement something that looks like a <input type=password> but isn't really.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
Seems more appropriate to resolve this as a duplicate of bug 653132.

I disagree regarding this not being a bug, as it *is* inarguably a privacy leak and we *could* do something about it, e.g. for passwords stored in the password manager, we could allow JS to read back only dummy values until the onsubmit event fired.  This would require careful study to make sure it doesn't break sites, even those that do batshit things like copy all the form values from the visible form to an invisible second form (yes, I have seen *that*)... but the password manager already doesn't work on sites that are sufficiently batshit, so I think the compat hit is likely to be acceptable.
Status: VERIFIED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: INVALID → DUPLICATE
Duplicate of bug: 653132
You need to log in before you can comment on or make changes to this bug.