[calendar] Vulnerability analysis issues

RESOLVED WORKSFORME

Status

Firefox OS
Gaia::Calendar
RESOLVED WORKSFORME
5 years ago
4 years ago

People

(Reporter: GH to BZ, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [label:calendar])

(Reporter)

Description

5 years ago
[GitHub issue by mcjimenez on 2012-09-14T09:23:14Z, https://github.com/mozilla-b2g/gaia/issues/4729]
We have run an automated vulnerability analysis on the Gaia code. 
After manually filtering the results we have found the following possible issue on the calendar app:

* /index.html

The form in index.html uses autocompletion on line 313, which allows some browsers to retain sensitive information in their history.

```html

309 </li>
310 <li class="password">
311 <input name="password" data-l10n-id="field-password" placeholder="Password"
type="password" />
312 </li>
313 <li class="full-url">

```
The web form contains password fields with autocomplete enabled. Autocomplete stores fields
locally on the browser so those fields are automatically filled when the user visit the same site
again. That could allow sensible data to be stolen if the device is compromised. Autocomplete isn't an
standard browser feature though and different browsers treat it by different ways.
In any case, we recommend disabling this characteristic.
There are two way to do so: 
- Field by field:

```html
<input name="password" id="id_password" type="password" autocomplete="off">
```

- Or at form level:

```html
<form method="post" action="/en-US/login" class="form-grid" autocomplete="off">
```
(Reporter)

Comment 1

5 years ago
[GitHub comment by mcjimenez on 2012-09-15T09:54:49Z]
cc @AntonioMA
(Reporter)

Comment 2

5 years ago
[GitHub comment by lightsofapollo on 2012-09-18T01:07:04Z]
@mcjimenez Sorry, the formatting in the issue seems broken, I can't really tell what is going on between the blocks for example "Or at form level:" there is no following text. I assume where 309, 310, etc. are are supposed to be a snippet of code?
(Reporter)

Comment 3

5 years ago
[GitHub comment by mcjimenez on 2012-09-20T11:36:19Z]
Nice catch, it seems github wasn't showing the code. Corrected now. Thank you
Component: Gaia → Gaia::Calendar

Comment 4

5 years ago
I've searched for input elements with type=password in the codebase and found some more:

SIM-PIN:
apps/communications/ftu/index.html:54

WIFI-password:
apps/communications/ftu/index.html:161

Email-account password
apps/email/index.html:383

Email-account password correction
apps/email/index.html:502

Gmail two factor auth password
apps/email/index.html:534

TNG? account credetials
apps/email/index.html:718

WIFI-password:
apps/settings/index.html:136

hidden WIFI-password:
apps/settings/index.html:178

HTTP authentication dialog
apps/system/index.html:484

HTTP authentication dialog
apps/browser/index.html:203

Persona account password
external-apps/marketplace-dev/cache/marketplace-dev.allizom.org/telefonica/offline/home:223


Some of these should probably not be stored on the device, like the SIM-PIN or the persona password. I don't know how the password management works or if there is one. Can anyone shed some light on that?
I don't think the password field is doing anything bad, or this would've been raised as an issue already. This also seems like something we should solve at the platform level perhaps. Going to close for now, but please re-open or re-file if you still have concerns.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.