본 사이트는 여러분의 사용자 경험을 개선하기 위해 유지 보수를 진행하는 동안 기능이 제한됩니다. 도움말로 문제가 해결되지 않고 질문을 하고 싶다면 Twitter의 @FirefoxSupport 및 Reddit의 /r/firefox 채널을 활용하세요.

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

The master password dialog box can be spoofed using JS, allowing any site owner to steal your master password.

  • 3 답장
  • 2 이 문제를 만남
  • 1 보기
  • 최종 답변자: cor-el

more options

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser.

(Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!)

While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first?

I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed.

Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser. (Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!) While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first? I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed. Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!
첨부된 스크린샷

글쓴이 habs0708 수정일시

모든 댓글 (3)

more options

Does little good here.

To submit suggestions for new or changed features, may I suggest: Feedback: https://qsurvey.mozilla.com/s3/FirefoxInput/

If you have a bug, file a bug report. https://bugzilla.mozilla.org/ Bug Writing Guidelines : https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines

Please let us know if this solved your issue or if need further assistance.

more options

Perhaps post a proposal on this forum:

https://discourse.mozilla.org/c/firefox-development

Some sites are trying to spoof the little panels that drop from the address bar, too, but they can't add a key icon into the bar (or whatever icon would be associated with the panel) so that still might be much better than the traditional style of pop-up.

more options

If you are unsure then close this dialog and login manually in the Password Manager.

  • Options/Preferences -> Privacy & Security: Logins: "Saved Logins" -> "Show Passwords"

If you press cancel on the MP dialog then the MP is reset and you need to re-enter the MP to be able to access the passwords.

Note that on Linux this prompt shows a key icon.

글쓴이 cor-el 수정일시