Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Pesquisar no site de suporte

Evite golpes de suporte. Nunca pedimos que você ligue ou envie uma mensagem de texto para um número de telefone, ou compartilhe informações pessoais. Denuncie atividades suspeitas usando a opção “Denunciar abuso”.

Saiba mais

Esta discussão foi arquivada. Faça uma nova pergunta se precisa de ajuda.

The master password dialog box can be spoofed using JS, allowing any site owner to steal your master password.

  • 3 respostas
  • 2 têm este problema
  • 1 exibição
  • Última resposta de cor-el

more options

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser.

(Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!)

While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first?

I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed.

Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser. (Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!) While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first? I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed. Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!
Capturas de tela anexadas

Alterado por habs0708 em

Todas as respostas (3)

more options

Does little good here.

To submit suggestions for new or changed features, may I suggest: Feedback: https://qsurvey.mozilla.com/s3/FirefoxInput/

If you have a bug, file a bug report. https://bugzilla.mozilla.org/ Bug Writing Guidelines : https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines

Please let us know if this solved your issue or if need further assistance.

more options

Perhaps post a proposal on this forum:

https://discourse.mozilla.org/c/firefox-development

Some sites are trying to spoof the little panels that drop from the address bar, too, but they can't add a key icon into the bar (or whatever icon would be associated with the panel) so that still might be much better than the traditional style of pop-up.

more options

If you are unsure then close this dialog and login manually in the Password Manager.

  • Options/Preferences -> Privacy & Security: Logins: "Saved Logins" -> "Show Passwords"

If you press cancel on the MP dialog then the MP is reset and you need to re-enter the MP to be able to access the passwords.

Note that on Linux this prompt shows a key icon.

Alterado por cor-el em