Closed
Bug 886731
Opened 11 years ago
Closed 11 years ago
Stored in Firefox password automatically typed
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 359675
People
(Reporter: marcing.dev, Unassigned)
Details
(Keywords: reporter-external)
Attachments
(1 file)
1.13 MB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130511120803
Steps to reproduce:
I've created two simple pages. One is login page with form and fields for username and password. Second one contain form with hidden (display: none) password field, and div. When mouse is over div a script is executed which log the hidden password value. For this to work we can't have (probably) any more credentials stored for testing domain, that's why I modified my hosts file.
Actual results:
Firstly I've logged using valid login page and remembered my credentials in Firefox. Then I visited the second page and triggered the script. My remembered password showed in console log. I think that creating second field with type="text" will make Firefox give login and password. You can find screenshots with every step I've made in attachment.
Expected results:
Firefox shouldn't insert password inside hidden fields. But this can be workaround with moving them away from screen. The best solution would be to write pass to field only when user type his login or choose his login from drop down list. That's how it works in other browser I've checked (I don't say they can't be fooled somehow :)
I think this bug is critical. With XSS on page one can grab people's credential and they will not even notice (attacker don't need active session, as in cookie-steal scenario).
I haven't published this information anywhere and I'm filling for Bug Bounty program.
I'll be happy to give more information.
Reporter | ||
Comment 1•11 years ago
|
||
I've just confirmed that creating text field (also hidden with CSS) results in full credentials leakage (couldn't find better word for that).
Comment 2•11 years ago
|
||
Not security-sensitive. The credentials are for the current web page in any case.
I suspect that this is INVALID, but I'll let the module owners make that call.
Group: core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Comment 3•11 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #2)
> The credentials are for the current web page in any case.
Not always much comfort, see bug 408531
In bug 359675 an option was created to make password filling more manual, but it's not the default, it's hidden, and relatively poor UI since it was codged together with minimal effort.
Please go to about:config and toggle the signon.autofillForms to false.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•