Closed
Bug 777725
Opened 12 years ago
Closed 11 years ago
If one Username with Password is stored, you can read it by javascript
Categories
(Toolkit :: Password Manager, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 653132
People
(Reporter: calliou2014, Unassigned)
References
Details
(Keywords: privacy)
Attachments
(2 files)
Prefilled Formulars can read by Javascript
User Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: in my website i save username and password. then i log out, change my ip, delete cookies, and go back on the site. on the form there stand my username and password, and my javascript read this out and let me know who is on the site(you are not logged in) Expected results: prefilled formulars shouldn't able to read out
i don't know if you can read prefilled formular by javascript in internet explorer , chrome , opera , safari too
http://83f.de/information/Example.html register your name. then go away and come again , click who am i
windows firefox, too . only one user and password should be save at homepage, if 2 this easy to use javascript won't work, maybe there's an ohter workaround
|
||
Updated•12 years ago
|
Group: core-security
Comment on attachment 769099 [details]
Prefilled Formulars can read by Javascript
It is a prefilled Formular
Attachment #769099 -
Attachment filename: Bildschirmfoto.png → Screen.png
if you use an external script like <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"> you give also google the ability to read out the form data.
|
||
Updated•11 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
Reporter | |
Comment 10•11 years ago
|
||
"The duplicate" is fixed in year 2008 https://bugzilla.mozilla.org/show_bug.cgi?id=359675 This bug ist new, and is not fixed, so don't mark it as duplicate.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
|
|
||
Comment 11•11 years ago
|
||
You can already enable the settings added by bug 359675 ("signon.autofillForms") because it is already fixed.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 12•11 years ago
|
||
You are right: In about:config i can set signon.autofillForms to false Do you think, every user of firefox should go to about:config for setting signon.autofillForms to false? I don't think that is a solution! I see three possibilites: 1.) Firefox put signon.autofillForms settings with the next update standard to false 2.) Someone invest time and develop a new method for secure prefilled forms (i prefer) and number three, your possibilite: 3.) I should go to settings and switch the autofillForms to false; every else who don't look at this thread can share his private data to those, who know and use this bug Is this your and/or firefox security policy? - I hope not And please do not mark this as a duplicate entry of https://bugzilla.mozilla.org/show_bug.cgi?id=359675, this error here does not deal with xss, this error here is simple javascript, which can easily exploit by everyone.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
|
|
Reporter | |
Comment 13•11 years ago
|
||
After a few weeks this bug still exists and nobody do something. This bug is now confirmed.
|
||
Updated•11 years ago
|
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
|
|
||
Comment 14•11 years ago
|
||
Hi Frank. Looks like it's been a while and I can see the history of disagreement on the discussion here over what the default behavior should be. It does seem like an issue that should be clarified in descriptions of privacy settings. For now, you might want to try using Private Browsing windows when you log in to sensitive sites on computers you don't have control over.
Severity: major → enhancement
|
|
Reporter | |
Comment 15•11 years ago
|
||
Yes, thats the same error and nothing done yet since 2011 :-) If i have a selectbox of 2 saved username and select one, the password is filled and can also read out. This Bug is not useable by a little man but for Facebook and Co., which are on many Homepages (intergrated by JAVASCRIPT!!!) This is fatal!
|
||
Comment 16•11 years ago
|
||
That's how password fields work, this isn't a bug. Of course the web pages can read what you (or the browser) types into it, some pages require this. Even if you disagree on that point, if a web page wanted to trick the user it could just implement something that looks like a <input type=password> but isn't really.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → INVALID
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 17•11 years ago
|
||
Seems more appropriate to resolve this as a duplicate of bug 653132. I disagree regarding this not being a bug, as it *is* inarguably a privacy leak and we *could* do something about it, e.g. for passwords stored in the password manager, we could allow JS to read back only dummy values until the onsubmit event fired. This would require careful study to make sure it doesn't break sites, even those that do batshit things like copy all the form values from the visible form to an invisible second form (yes, I have seen *that*)... but the password manager already doesn't work on sites that are sufficiently batshit, so I think the compat hit is likely to be acceptable.
Status: VERIFIED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: INVALID → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•