Huge security issue when sharing folder #9524
Comments
|
Hey :) |
|
Firefox 60 will ignore the 'new-password' property of the password field and still auto-fill it. |
This sounds like a bug in Firefox. Could you report it there as well and check if this is the wanted behavior? See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input#attr-autocomplete |
According to this, it is intended behaviour: https://bugzilla.mozilla.org/show_bug.cgi?id=1353035 I don't agree with Mozilla. Its a huge security issue in Nextcloud's case, when LDAP auth is enabled and users have their AD domain passwords saved in FF's password manager. Until Mozilla introduces a change in their browser, would it possible for the Nextcloud team to engineer a workaround for this? Considering that even if Firefox starts honoring the 'autocomplete=off/new-password' in the future; it would still be an issue on older versions of the browser. #10647 Could be a viable workaround if implemented. |
|
Can confirm this issue still persists in Nextcloud 13.0.6 and Firefox 61.0.1. The problem is that you can easily send out your password by accident, because of the dangerous combination of autofill + Nextcloud sending the share email out without a confirm button. "Workarounds" for the moment: don't save your NC login in Firefox or save more than one NC account credentials in Firefox, because then autofill won't happen. |
skjnldsv
added
the
0. Needs triage
|
Fixed with #15719 |
The steps to share a folder and and a password are automatic and this could lead to big security issue if associated to browser's autofill feature.
Steps to reproduce
Expected behaviour
Shouldn't send password without confirmation, button or else
Actual behaviour
Sends the login password because of the autofill feature of the browser
Server configuration
Operating system:
Linux debian
Web server:
Apache 2
Database:
Mysql
PHP version:
7.2
Nextcloud version: (see Nextcloud admin page)
13.0.2
The text was updated successfully, but these errors were encountered: