We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Vanwege onderhoudswerkzaamheden die uw ervaring zouden moeten verbeteren, heeft deze website beperkte functionaliteit. Als een artikel uw probleem niet verhelpt en u een vraag wilt stellen, kan onze ondersteuningsgemeenschap u helpen in @FirefoxSupport op Twitter en /r/firefox op Reddit.

Zoeken in Support

Vermijd ondersteuningsscams. We zullen u nooit vragen een telefoonnummer te bellen, er een sms naar te sturen of persoonlijke gegevens te delen. Meld verdachte activiteit met de optie ‘Misbruik melden’.

Meer info

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

The master password dialog box can be spoofed using JS, allowing any site owner to steal your master password.

  • 3 antwoorden
  • 2 hebben dit probleem
  • 1 weergave
  • Laatste antwoord van cor-el

more options

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser.

(Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!)

While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first?

I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed.

Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!

In the event that a user is using a Master Password to protect their website passwords, the Master Password dialog box can pop-up either on first boot of Firefox, or within a browsing session (if not entered on first boot). There are two problems here: the first is that the dialog box seemingly pops up at random, and the second is that it lacks any sort of visual signals to indicate that it is an "authentic" request for the Master Password from the Firefox browser. (Case in point for issue #1: the Master Password dialog just popped up as I was typing this -- I did not browse to any page where a login was required!) While a typical/simple javascript dialog does not look exactly the same as the MP dialog, the average/busy/tired user may not notice the difference and enter their password by habit. This is how many phishing scams work; things don't need to look exactly the same, just close enough so that a habitual behavior is triggered. Look at the attached image; can the average user tell me if that's the authentic login or a spoofed login without going and checking first? I'm willing to bet a LOT of users have the same master password as their Firefox account password. Even if that's not the case, this is a security issue that was brought up 3 years ago and misinterpreted/not addressed. I hope this is taken more seriously, and I'm happy to help the discussion along with examples if needed. Thanks to Mozilla for all the great work they've done! Firefox is still my browser of choice!
Gekoppelde schermafbeeldingen

Bewerkt door habs0708 op

Alle antwoorden (3)

more options

Does little good here.

To submit suggestions for new or changed features, may I suggest: Feedback: https://qsurvey.mozilla.com/s3/FirefoxInput/

If you have a bug, file a bug report. https://bugzilla.mozilla.org/ Bug Writing Guidelines : https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines

Please let us know if this solved your issue or if need further assistance.

more options

Perhaps post a proposal on this forum:

https://discourse.mozilla.org/c/firefox-development

Some sites are trying to spoof the little panels that drop from the address bar, too, but they can't add a key icon into the bar (or whatever icon would be associated with the panel) so that still might be much better than the traditional style of pop-up.

more options

If you are unsure then close this dialog and login manually in the Password Manager.

  • Options/Preferences -> Privacy & Security: Logins: "Saved Logins" -> "Show Passwords"

If you press cancel on the MP dialog then the MP is reset and you need to re-enter the MP to be able to access the passwords.

Note that on Linux this prompt shows a key icon.

Bewerkt door cor-el op