Prohledat stránky podpory

Vyhněte se podvodům. Za účelem poskytnutí podpory vás nikdy nežádáme, abyste zavolali nebo poslali SMS na nějaké telefonní číslo nebo abyste sdělili své osobní údaje. Jakékoliv podezřelé chování nám prosím nahlaste pomocí odkazu „Nahlásit zneužití“.

Zjistit více

The master password dialog box can be spoofed using JS, allowing any site owner to steal your master password.

  • 3 odpovědi
  • 2 mají tento problém
  • 1 zobrazení
  • Poslední odpověď od cor-el

more options

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser.

(Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!)

While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first?

I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed.

Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser. (Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!) While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first? I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed. Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!
Přiložené obrázky

Upravil uživatel habs0708 dne

Všechny odpovědi (3)

more options

Does little good here.

To submit suggestions for new or changed features, may I suggest: Feedback: https://qsurvey.mozilla.com/s3/FirefoxInput/

If you have a bug, file a bug report. https://bugzilla.mozilla.org/ Bug Writing Guidelines : https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines

Please let us know if this solved your issue or if need further assistance.

more options

Perhaps post a proposal on this forum:

https://discourse.mozilla.org/c/firefox-development

Some sites are trying to spoof the little panels that drop from the address bar, too, but they can't add a key icon into the bar (or whatever icon would be associated with the panel) so that still might be much better than the traditional style of pop-up.

more options

If you are unsure then close this dialog and login manually in the Password Manager.

  • Options/Preferences -> Privacy & Security: Logins: "Saved Logins" -> "Show Passwords"

If you press cancel on the MP dialog then the MP is reset and you need to re-enter the MP to be able to access the passwords.

Note that on Linux this prompt shows a key icon.

Upravil uživatel cor-el dne