All users were logged out of Bugzilla on October 13th, 2018

Searched text is selected on web page immediately, which can expose it to scripts

NEW
Unassigned

Status

()

5 years ago
5 years ago

People

(Reporter: shachaf+bugzilla, Unassigned)

Tracking

Trunk
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 760043 [details]
proof of concept

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Iceweasel/10.0.12 (Beta/Release)
Build ID: 20130303204535

Steps to reproduce:

Opened attached web page, searched for any text.


Actual results:

Web page was able, via repeatedly checking text selection and updating text, to figure out what I typed in the search box. (With some more work the page can actually add the searched text to the list of passwords, so that the search is less suspicious.) If I had been searching for my password the page could have uploaded it somewhere.


Expected results:

In some browsers -- e.g. Chrome -- searched text selection is not visible to the web page until the search box is closed. I don't know if this is the right thing to do, but this sort of situation should at least be considered -- as a user I typically expect that what I type in the search box is somewhat secret.
(Reporter)

Updated

5 years ago
Attachment #760043 - Attachment mime type: text/plain → text/html

Comment 1

5 years ago
Marking NEW as this reproduces on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130607 Firefox/24.0 ID:20130607031055 CSet: dc8e78ed8c44
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Version: 10 Branch → Trunk
You need to log in before you can comment on or make changes to this bug.