Closed
Bug 925376
Opened 11 years ago
Closed 11 years ago
Autofilled usernames+passwords should not be accessible to page JS before form submit
Categories
(Toolkit :: Password Manager, defect)
Toolkit
Password Manager
Tracking
()
RESOLVED
DUPLICATE
of bug 653132
People
(Reporter: zwol, Unassigned)
References
()
Details
(Keywords: privacy)
If I visit a site where I have an account, with credentials saved into the password manager, but am logged out, and (as is common nowadays) there is a login form on every page when you're logged out, page JS can read the values of the form fields and determine which user I am, even though I'm logged out. This constitutes a privacy leak -- presumably I have logged out at least in part because I *don't* want the site to be aware of which of their users I am, right now. This has actually been observed "in the wild", on Quora, as described at the link.
Comment 1•11 years ago
|
||
This is a dupe of bug 653132. Thanks for the report.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•