Re: ISSUE-21: Reply to question - what do pword managers do to ensure they don\'t \"leak\" pwords?

For firefox, we only auto-fill form content for pages where:

a) The scheme://hostname:port of the web page matches that which was  
used when the password was originally stored, AND
b) The scheme://hostname:port of the form's ACTION URL matches that  
which was used when the password was originally stored.

Naive approaches to password management may use only a) above.  The  
problem here is that it can lead to a XSS-style attack where people  
would put malicious login forms on sites like myspace within the user- 
specified content.  Since the page was presented by myspace, saved  
myspace credentials would be auto-filled, however on submit, the form  
would direct the data elsewhere.

Cheers,

J

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com



On 26-Mar-07, at 9:31 AM, Web Security Context Issue Tracker wrote:

>
>
> ISSUE-21: Reply to question - what do pword managers do to ensure  
> they don't "leak" pwords?
>
> http://www.w3.org/2006/WSC/Group/track/issues/21
>
> Raised by: Mary Ellen Zurko
> On product: Note: use cases etc.
>
> http://lists.w3.org/Archives/Public/public-usable-
> authentication/2007Mar/0032.html
> But in 8.4, what do the managers use to make sure they
> don't give the credentials to a phisher?
>
> I do not know. Can someone in the WG please reply with an answer to  
> this part?
> Should be easy for anyone with a clue.
>
>
>

Received on Monday, 26 March 2007 13:53:06 UTC