Open Bug 786276 Opened 8 years ago Updated 4 months ago

Don't autofill passwords in frames that are not same-origin with top-level page


(Toolkit :: Password Manager, defect, P3)





(Reporter: causeless, Unassigned)


(Depends on 1 open bug, Blocks 1 open bug)


(Keywords: privacy, sec-low, Whiteboard: security:passwords)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1

Steps to reproduce:

In some SNS, click-jacking is not prevented on login form if the user is logged out.
If you saved password, click-jacking may lead users into logging in unintentionally by autofilled passwords.
Its a sort of click-jacking vulnerability on server side. but affect all users of the insecure SNS.

I've already found as one of such SNSs. or their other locales are not prevented from CSRF/clickjacking.

Actual results:

Some of SNSs are display users status like their realtime location to worldwide if logged in.  So unintentional login may cause a serious user information leakage.

Expected results:

the password autofiller must be allowed only if the url displayed on the location bar match the origin of password form to be autofilled.
seems same attack. but i think the resolution suggested by Daniel Veditz is inappropriate.
Require users manually fill username will also prevent this attack but same-origin policy i wrote above allows automatic prevention.

and for 2 years, more SNS may leak sensitive information if the user log in unintentionally.
Component: Untriaged → Security
See Also: → 610997
Component: Security → Untriaged
Matt, can you look at this to confirm it?
I suspect the password manager folks will reject this approach since some sites host their generic "account" login on a sub-domain that differs (e.g. sites sometimes (used to?) frame We could take an eTLD+1 approach, but then other folks will point out this leaves sites with mutually hostile sibling domains unprotected (e.g. livejournal).
Group: core-security
Component: Untriaged → Password Manager
Depends on: 610997
Ever confirmed: true
Keywords: privacy, sec-low
Product: Firefox → Toolkit
Summary: Password Autofill leaks realtime location of SNS users → Don't autofill passwords in frames that are not same-origin with top-level page
I think "semi-automatic" autofill would be better implement. If the iframe is not same-origin, password manager should confirm before autofill password. This approach requires one additional click to users only if the website is clickjackable. It will make incentive to think about clickjacking.

1. Autofill if iframe.src is same-origin with location.href.
2, If not, confirm "Your password of will be autofilled. (Y/n)"
3, If yes, fill saved password.
will not lose any saved passwords but protect users properly.
Depends on: 1118400
Blocks: 1118400
No longer depends on: 1118400
Priority: -- → P3
Whiteboard: security:passwords
OS: Windows 7 → All
Hardware: x86_64 → All
See Also: 610997
Version: 18 Branch → Trunk
Duplicate of this bug: 1626153
You need to log in before you can comment on or make changes to this bug.