Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Disable password autofill on page load #12489

Closed
darkdh opened this issue Jan 3, 2018 · 3 comments · Fixed by brave/muon#419
Closed

Disable password autofill on page load #12489

darkdh opened this issue Jan 3, 2018 · 3 comments · Fixed by brave/muon#419
Assignees
@darkdh
Labels
bug feature/password-manager QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include security
Milestone
0.19.x Hotfix 11 ...

Comments

@darkdh
Copy link
Member

darkdh commented Jan 3, 2018

Description

https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

Steps to Reproduce

  1. Go to https://senglehardt.com/demo/no_boundaries/loginmanager/
  2. Submit username/password and save password using built-in password manager
  3. 3rd party script will steal your password and display on the page

Actual result:

Username and password get sniffed

Expected result:
No username and password will get leaked when page load

Reproduces how often:

Brave Version

about:brave info:

Reproducible on current live release:

Additional Information
@darkdh darkdh self-assigned this Jan 3, 2018
@bsclifton bsclifton added this to the 0.19.x Hotfix 11 milestone Jan 3, 2018
darkdh added a commit to brave/muon that referenced this issue Jan 3, 2018
@darkdh
Disable password autofill upon page load
dacc953 
fix brave/browser-laptop#12489

Auditors: @bridiver, @diracdeltas, @bbondy
This was referenced Jan 3, 2018
Merged
Closed
darkdh added a commit to brave/muon that referenced this issue Jan 4, 2018
@darkdh
Disable password autofill upon page load
a1b3336 
fix brave/browser-laptop#12489

Auditors: @bridiver, @diracdeltas, @bbondy
darkdh added a commit to brave/muon that referenced this issue Jan 4, 2018
@darkdh
Disable password autofill upon page load
d7fdca0 
fix brave/browser-laptop#12489

Auditors: @bridiver, @diracdeltas, @bbondy
This was referenced Jan 4, 2018
Closed
Closed
Closed
@darkdh
Copy link
Member Author

darkdh commented Jan 4, 2018

For QA: new result will be like this

  1. Hidden fields

screen shot 2018-01-03 at 4 38 13 pm

  1. Non hidden fields

screen shot 2018-01-03 at 4 45 05 pm

@srirambv
Copy link
Collaborator

srirambv commented Jan 5, 2018
edited
Loading

@darkdh should the autofill prompt the moment the page is loaded for which a credential is saved?
12489

@darkdh
Copy link
Member Author

darkdh commented Jan 5, 2018

@srirambv expected because private tab won't popup credentials automatically. it requires user interaction just like you did.

@LaurenWags LaurenWags mentioned this issue Jan 5, 2018
Closed
@kjozwiak kjozwiak mentioned this issue Jan 9, 2018
Closed
@darkdh darkdh mentioned this issue Jan 9, 2018
Closed
@eljuno eljuno mentioned this issue Feb 12, 2018
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@darkdh darkdh

Labels
bug feature/password-manager QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include security
Projects
None yet
Milestone
0.19.x Hotfix 11 (Release Channel)
Development

Successfully merging a pull request may close this issue.

Disable password autofill upon page load brave/muon
6 participants
@diracdeltas @kjozwiak @bsclifton @darkdh @srirambv @LaurenWags