Closed Bug 925376 Opened 11 years ago Closed 11 years ago

Autofilled usernames+passwords should not be accessible to page JS before form submit

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 653132

People

(Reporter: zwol, Unassigned)

References

(
URL
)

Details

(Keywords: privacy) 

If I visit a site where I have an account, with credentials saved into the password manager, but am logged out, and (as is common nowadays) there is a login form on every page when you're logged out, page JS can read the values of the form fields and determine which user I am, even though I'm logged out.  This constitutes a privacy leak -- presumably I have logged out at least in part because I *don't* want the site to be aware of which of their users I am, right now.

This has actually been observed "in the wild", on Quora, as described at the link.
This is a dupe of bug 653132. Thanks for the report.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.