Open Bug 786276 Opened 8 years ago Updated 4 months ago

Don't autofill passwords in frames that are not same-origin with top-level page

Categories

(Toolkit :: Password Manager, defect, P3)

defect

Tracking

()

People

(Reporter: causeless, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: privacy, sec-low, Whiteboard: security:passwords)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1

Steps to reproduce:

In some SNS, click-jacking is not prevented on login form if the user is logged out.
If you saved password, click-jacking may lead users into logging in unintentionally by autofilled passwords.
Its a sort of click-jacking vulnerability on server side. but affect all users of the insecure SNS.

I've already found foursquare.com as one of such SNSs.
https://ja.foursquare.com/login or their other locales are not prevented from CSRF/clickjacking.


Actual results:

Some of SNSs are display users status like their realtime location to worldwide if logged in.  So unintentional login may cause a serious user information leakage.



Expected results:

the password autofiller must be allowed only if the url displayed on the location bar match the origin of password form to be autofilled.
https://bugzilla.mozilla.org/show_bug.cgi?id=610997
seems same attack. but i think the resolution suggested by Daniel Veditz is inappropriate.
Require users manually fill username will also prevent this attack but same-origin policy i wrote above allows automatic prevention.

and for 2 years, more SNS may leak sensitive information if the user log in unintentionally.
Component: Untriaged → Security
See Also: → 610997
Component: Security → Untriaged
Matt, can you look at this to confirm it?
I suspect the password manager folks will reject this approach since some sites host their generic "account" login on a sub-domain that differs (e.g. google.com sites sometimes (used to?) frame accounts.google.com). We could take an eTLD+1 approach, but then other folks will point out this leaves sites with mutually hostile sibling domains unprotected (e.g. livejournal).
Group: core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Password Manager
Depends on: 610997
Ever confirmed: true
Keywords: privacy, sec-low
Product: Firefox → Toolkit
Summary: Password Autofill leaks realtime location of SNS users → Don't autofill passwords in frames that are not same-origin with top-level page
I think "semi-automatic" autofill would be better implement. If the iframe is not same-origin, password manager should confirm before autofill password. This approach requires one additional click to users only if the website is clickjackable. It will make incentive to think about clickjacking.

Example:
1. Autofill if iframe.src is same-origin with location.href.
2, If not, confirm "Your password of login.example.com will be autofilled. (Y/n)"
3, If yes, fill saved password.
will not lose any saved passwords but protect users properly.
Depends on: 1118400
Blocks: 1118400
No longer depends on: 1118400
Priority: -- → P3
Whiteboard: security:passwords
OS: Windows 7 → All
Hardware: x86_64 → All
See Also: 610997
Version: 18 Branch → Trunk
Duplicate of this bug: 1626153
You need to log in before you can comment on or make changes to this bug.