Closed Bug 886731 Opened 11 years ago Closed 11 years ago

Stored in Firefox password automatically typed

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
21 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 359675

People

(Reporter: marcing.dev, Unassigned)

Details

(Keywords: reporter-external)

Attachments

(1 file)

Steps I've made
1.13 MB, image/jpeg
Details
Attached image Steps I've made 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130511120803

Steps to reproduce:

I've created two simple pages. One is login page with form and fields for username and password. Second one contain form with hidden (display: none) password field, and div. When mouse is over div a script is executed which log the hidden password value. For this to work we can't have (probably) any more credentials stored for testing domain, that's why I modified my hosts file.


Actual results:

Firstly I've logged using valid login page and remembered my credentials in Firefox. Then I visited the second page and triggered the script. My remembered password showed in console log. I think that creating second field with type="text" will make Firefox give login and password. You can find screenshots with every step I've made in attachment.


Expected results:

Firefox shouldn't insert password inside hidden fields. But this can be workaround with moving them away from screen. The best solution would be to write pass to field only when user type his login or choose his login from drop down list. That's how it works in other browser I've checked (I don't say they can't be fooled somehow :)
I think this bug is critical. With XSS on page one can grab people's credential and they will not even notice (attacker don't need active session, as in cookie-steal scenario).

I haven't published this information anywhere and I'm filling for Bug Bounty program.

I'll be happy to give more information.
I've just confirmed that creating text field (also hidden with CSS) results in full credentials leakage (couldn't find better word for that).
Not security-sensitive. The credentials are for the current web page in any case.

I suspect that this is INVALID, but I'll let the module owners make that call.
Group: core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #2)
> The credentials are for the current web page in any case.

Not always much comfort, see bug 408531

In bug 359675 an option was created to make password filling more manual, but it's not the default, it's hidden, and relatively poor UI since it was codged together with minimal effort.

Please go to about:config and toggle the signon.autofillForms to false.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: