Closed Bug 777725 Opened 12 years ago Closed 11 years ago

If one Username with Password is stored, you can read it by javascript

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Version:
14 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 653132

People

(Reporter: calliou2014, Unassigned)

References

Details

(Keywords: privacy)

Attachments

(2 files)

Prefilled Formulars can read by Javascript
217.98 KB, image/png
Details
Not only username, its possible to read password, too
195.27 KB, image/png
Details
User Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: in my website i save username and password. then i log out, change my ip, delete cookies, and go back on the site. on the form there stand my username and password, and my javascript read this out and let me know who is on the site(you are not logged in) Expected results: prefilled formulars shouldn't able to read out
i don't know if you can read prefilled formular by javascript in internet explorer , chrome , opera , safari too
http://83f.de/information/Example.html register your name. then go away and come again , click who am i
windows firefox, too . only one user and password should be save at homepage, if 2 this easy to use javascript won't work, maybe there's an ohter workaround
Keywords: privacy
OS: Linux → All
Hardware: x86 → All
Severity: normal → major
Group: core-security
Not a security issue.
Group: core-security
Comment on attachment 769099 [details] Prefilled Formulars can read by Javascript It is a prefilled Formular
Attachment #769099 - Attachment filename: Bildschirmfoto.png → Screen.png
Very easy steps to read out prefilled username and password
if you use an external script like <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"> you give also google the ability to read out the form data.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
"The duplicate" is fixed in year 2008 https://bugzilla.mozilla.org/show_bug.cgi?id=359675 This bug ist new, and is not fixed, so don't mark it as duplicate.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
You can already enable the settings added by bug 359675 ("signon.autofillForms") because it is already fixed.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → DUPLICATE
You are right: In about:config i can set signon.autofillForms to false Do you think, every user of firefox should go to about:config for setting signon.autofillForms to false? I don't think that is a solution! I see three possibilites: 1.) Firefox put signon.autofillForms settings with the next update standard to false 2.) Someone invest time and develop a new method for secure prefilled forms (i prefer) and number three, your possibilite: 3.) I should go to settings and switch the autofillForms to false; every else who don't look at this thread can share his private data to those, who know and use this bug Is this your and/or firefox security policy? - I hope not And please do not mark this as a duplicate entry of https://bugzilla.mozilla.org/show_bug.cgi?id=359675, this error here does not deal with xss, this error here is simple javascript, which can easily exploit by everyone.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
After a few weeks this bug still exists and nobody do something. This bug is now confirmed.
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Hi Frank. Looks like it's been a while and I can see the history of disagreement on the discussion here over what the default behavior should be. It does seem like an issue that should be clarified in descriptions of privacy settings. For now, you might want to try using Private Browsing windows when you log in to sensitive sites on computers you don't have control over.
Severity: major → enhancement
Yes, thats the same error and nothing done yet since 2011 :-) If i have a selectbox of 2 saved username and select one, the password is filled and can also read out. This Bug is not useable by a little man but for Facebook and Co., which are on many Homepages (intergrated by JAVASCRIPT!!!) This is fatal!
That's how password fields work, this isn't a bug. Of course the web pages can read what you (or the browser) types into it, some pages require this. Even if you disagree on that point, if a web page wanted to trick the user it could just implement something that looks like a <input type=password> but isn't really.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
Seems more appropriate to resolve this as a duplicate of bug 653132. I disagree regarding this not being a bug, as it *is* inarguably a privacy leak and we *could* do something about it, e.g. for passwords stored in the password manager, we could allow JS to read back only dummy values until the onsubmit event fired. This would require careful study to make sure it doesn't break sites, even those that do batshit things like copy all the form values from the visible form to an invisible second form (yes, I have seen *that*)... but the password manager already doesn't work on sites that are sufficiently batshit, so I think the compat hit is likely to be acceptable.
Status: VERIFIED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: INVALID → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: