საიტის გასაუმჯობესებელი სამუშაოების მიმდინარეობისას, შესაძლებლობების ნაწილი შეიზღუდება. თუ სტატიით ვერ მოახერხებ ხარვეზის გამოსწორება და შეკითხვის დასმა გსურთ, ჩვენი მხარდაჭერის გუნდი დაგეხმარებათ @FirefoxSupport გვერდის მეშვეობით Twitter-ზე და /r/firefox განყოფილებაში Reddit-ზე.

ძიება მხარდაჭერაში

ნუ გაებმებით თაღლითების მახეში მხარდაჭერის საიტზე. აქ არასდროს მოგთხოვენ სატელეფონო ნომერზე დარეკვას, შეტყობინების გამოგზავნას ან პირადი მონაცემების გაზიარებას. გთხოვთ, გვაცნობოთ რამე საეჭვოს შემჩნევისას „დარღვევაზე მოხსენების“ მეშვეობით.

ვრცლად

The master password dialog box can be spoofed using JS, allowing any site owner to steal your master password.

  • 3 პასუხი
  • 2 მომხმარებელი წააწყდა მსგავს სიძნელეს
  • 5 ნახვა
  • ბოლოს გამოეხმაურა cor-el

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser.

(Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!)

While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first?

I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed.

Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser. (Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!) While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first? I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed. Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!
მიმაგრებული ეკრანის სურათები

ჩასწორების თარიღი: , ავტორი: habs0708

ყველა პასუხი (3)

Does little good here.

To submit suggestions for new or changed features, may I suggest: Feedback: https://qsurvey.mozilla.com/s3/FirefoxInput/

If you have a bug, file a bug report. https://bugzilla.mozilla.org/ Bug Writing Guidelines : https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines

Please let us know if this solved your issue or if need further assistance.

Perhaps post a proposal on this forum:

https://discourse.mozilla.org/c/firefox-development

Some sites are trying to spoof the little panels that drop from the address bar, too, but they can't add a key icon into the bar (or whatever icon would be associated with the panel) so that still might be much better than the traditional style of pop-up.

If you are unsure then close this dialog and login manually in the Password Manager.

  • Options/Preferences -> Privacy & Security: Logins: "Saved Logins" -> "Show Passwords"

If you press cancel on the MP dialog then the MP is reset and you need to re-enter the MP to be able to access the passwords.

Note that on Linux this prompt shows a key icon.

ჩასწორების თარიღი: , ავტორი: cor-el