[GitHub issue by mcjimenez on 2012-09-14T09:23:14Z, https://github.com/mozilla-b2g/gaia/issues/4729] We have run an automated vulnerability analysis on the Gaia code. After manually filtering the results we have found the following possible issue on the calendar app: * /index.html The form in index.html uses autocompletion on line 313, which allows some browsers to retain sensitive information in their history. ```html 309 </li> 310 <li class="password"> 311 <input name="password" data-l10n-id="field-password" placeholder="Password" type="password" /> 312 </li> 313 <li class="full-url"> ``` The web form contains password fields with autocomplete enabled. Autocomplete stores fields locally on the browser so those fields are automatically filled when the user visit the same site again. That could allow sensible data to be stolen if the device is compromised. Autocomplete isn't an standard browser feature though and different browsers treat it by different ways. In any case, we recommend disabling this characteristic. There are two way to do so: - Field by field: ```html <input name="password" id="id_password" type="password" autocomplete="off"> ``` - Or at form level: ```html <form method="post" action="/en-US/login" class="form-grid" autocomplete="off"> ```
[GitHub comment by mcjimenez on 2012-09-15T09:54:49Z] cc @AntonioMA
[GitHub comment by lightsofapollo on 2012-09-18T01:07:04Z] @mcjimenez Sorry, the formatting in the issue seems broken, I can't really tell what is going on between the blocks for example "Or at form level:" there is no following text. I assume where 309, 310, etc. are are supposed to be a snippet of code?
[GitHub comment by mcjimenez on 2012-09-20T11:36:19Z] Nice catch, it seems github wasn't showing the code. Corrected now. Thank you
I've searched for input elements with type=password in the codebase and found some more: SIM-PIN: apps/communications/ftu/index.html:54 WIFI-password: apps/communications/ftu/index.html:161 Email-account password apps/email/index.html:383 Email-account password correction apps/email/index.html:502 Gmail two factor auth password apps/email/index.html:534 TNG? account credetials apps/email/index.html:718 WIFI-password: apps/settings/index.html:136 hidden WIFI-password: apps/settings/index.html:178 HTTP authentication dialog apps/system/index.html:484 HTTP authentication dialog apps/browser/index.html:203 Persona account password external-apps/marketplace-dev/cache/marketplace-dev.allizom.org/telefonica/offline/home:223 Some of these should probably not be stored on the device, like the SIM-PIN or the persona password. I don't know how the password management works or if there is one. Can anyone shed some light on that?
I don't think the password field is doing anything bad, or this would've been raised as an issue already. This also seems like something we should solve at the platform level perhaps. Going to close for now, but please re-open or re-file if you still have concerns.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.