Open Bug 786276 Opened 8 years ago Updated 4 months ago
Don't autofill passwords in frames that are not same-origin with top-level page
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1 Steps to reproduce: In some SNS, click-jacking is not prevented on login form if the user is logged out. If you saved password, click-jacking may lead users into logging in unintentionally by autofilled passwords. Its a sort of click-jacking vulnerability on server side. but affect all users of the insecure SNS. I've already found foursquare.com as one of such SNSs. https://ja.foursquare.com/login or their other locales are not prevented from CSRF/clickjacking. Actual results: Some of SNSs are display users status like their realtime location to worldwide if logged in. So unintentional login may cause a serious user information leakage. Expected results: the password autofiller must be allowed only if the url displayed on the location bar match the origin of password form to be autofilled.
https://bugzilla.mozilla.org/show_bug.cgi?id=610997 seems same attack. but i think the resolution suggested by Daniel Veditz is inappropriate. Require users manually fill username will also prevent this attack but same-origin policy i wrote above allows automatic prevention. and for 2 years, more SNS may leak sensitive information if the user log in unintentionally.
Component: Untriaged → Security
See Also: → 610997
Matt, can you look at this to confirm it?
I suspect the password manager folks will reject this approach since some sites host their generic "account" login on a sub-domain that differs (e.g. google.com sites sometimes (used to?) frame accounts.google.com). We could take an eTLD+1 approach, but then other folks will point out this leaves sites with mutually hostile sibling domains unprotected (e.g. livejournal).
Status: UNCONFIRMED → NEW
Component: Untriaged → Password Manager
Depends on: 610997
Ever confirmed: true
Product: Firefox → Toolkit
Summary: Password Autofill leaks realtime location of SNS users → Don't autofill passwords in frames that are not same-origin with top-level page
I think "semi-automatic" autofill would be better implement. If the iframe is not same-origin, password manager should confirm before autofill password. This approach requires one additional click to users only if the website is clickjackable. It will make incentive to think about clickjacking. Example: 1. Autofill if iframe.src is same-origin with location.href. 2, If not, confirm "Your password of login.example.com will be autofilled. (Y/n)" 3, If yes, fill saved password. will not lose any saved passwords but protect users properly.
OS: Windows 7 → All
Hardware: x86_64 → All
See Also: 610997 →
Version: 18 Branch → Trunk
You need to log in before you can comment on or make changes to this bug.