Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames

General discussion area and chat

Moderator: satrow

Forum rules
This General Discussions forum is an open chat area, so you can talk about almost any subject. Please keep things civil, though!

Please do try to somewhat stick to the relevance of this forum, which focuses on everything around the Pale Moon project and its user community. "Totally random" subjects don't really belong here, even in the general discussion area.
User avatar
Thehandyman1957
Board Warrior
Board Warrior
Posts: 1280
Joined: Tue, 19 May 2015, 02:26
Location: Arizona U.S.

Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames

Postby Thehandyman1957 » Sat, 30 Dec 2017, 01:45

Is this something we need to be worried about? :think:

Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/s ... usernames/
"Watch your thoughts; they become words. Watch your words; they become actions. Watch your actions; they become habits. Watch your habits; they become your character. Watch your character; it becomes your destiny."

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 20511
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames

Postby Moonchild » Sat, 30 Dec 2017, 02:42

It's not a flaw in the login managers. It's actually a design decision (deliberate convenience feature) that is being abused.
This approach is only possible when a third party has script access to the first-party domain, since crossorigin access needs to be set explicitly -- this means that it will only work when the site owners explicitly allow this script access, so actually stealing credentials through scripts that are not known to the website owners won't be possible. In the case of XSS, we have CSP to mitigate that.

I am however ahead of this already, because I do recognize the risk of this feature being enabled by default. See Issue #1559. I'll change the default, but will provide an easy way for users to re-enable it if they prefer the convenience of it and find having to click the user name field to be too cumbersome for their workflow.
Last edited by Moonchild on Sat, 30 Dec 2017, 08:03, edited 2 times in total.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.


Return to “General discussion”

Who is online

Users browsing this forum: No registered users and 6 guests