Login forms autofill

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Login forms autofill

WhiteWinterWolf
Hello,

I hope I am at the right place. I would like to better understand the
logic which led to the current situation regarding login forms autofill.

In particular, I wonder why there is an official recommendation to
change `signon.autofillForms` default value while, at the same time,
keeping the setting out of reach of casual users.

This is not a rant or something like that, on the contrary. I'm writing
an article for my blog explaining how to better use Firefox password
manager (I encounter too often non-tech people thinking that standalone
password managers praised by tech-people are overkill for them, which I
consider right, but their decisions afterwards are usually misguided and
very poor security-wise).

The so-called "sweep attack" allows an attacker to steal users
credential for various websites by quickly and successively simulating
the login form of each targeted websites, taking advantage of the
browser autofill feature to provide the matching credential to the
attacker without any user intervention.

This attack is mainly popular on rogue WiFi access points, but the
raised of malicious software targeting ISP-provided routers I would not
be surprised to find it also applied directly in users' home.

Firefox provides a setting, `signon.autofillForms`, which when set to
`false` makes Firefox to require a user intervention before filling an
authentication form.

This setting is documented here:
http://kb.mozillazine.org/Signon.autofillForms

By default it is set to `true`, the above mentioned documentation
recommends to change it to thwart this attack.

The reason why this value defaults to `true` is discussed in the bug
discussion attached to this KB:

https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c236

 > we simply annoy and alienate all the users who expect autofill to work
 > as it has since Firefox 1.0.

When asking non-tech people around me they seem neither "annoyed" nor
"alienated" with the flow of having to click on an login field to get
Firefox's drop down proposing to fill it automatically.

This bug being pretty old now (more than 10 years old), I wonder if such
statement still stands in todays Internet? Maybe users relation to
electronic devices has evolved since then?

The default is to have autofill enabled because of this historical
reason and the KB recommends to disable it for security reason.

While I may understand the choice for the default value, why is this
setting buried in the `about:config` screen then? Why isn't there a
checkbox in Firefox security settings allowing to enable/disable
authentication forms auto-filling?

Firefox built-in password manager targets casual users, and I feel bad
having to recommend those users to go in the `about:config` screen. I
feel also bad in keeping them from taking advantage of a nice and
well-done security feature just for the sake of avoiding to break their
"Firefox 1.0 experience".

Shouldn't `signon.autofillForms` be set to false by default? If not,
shouldn't a checkbox be proposed to allow casual users to easily change
it? And if not: why?

I'm sure this has been largely discussed in the past and there are good
reasons behind those choices, so I just would like to understand the
*why* because the current situation (default value = true, recommend
users to change it but bury the setting to prevent any easy change)
doesn't currently makes any sense to me.

I must miss something, thank you by advance for pointing me in the right
direction!

Regards,
Simon.

--
WhiteWinterWolf
https://www.whitewinterwolf.com
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Login forms autofill

WhiteWinterWolf
(previous mail sent to mozilla-dev-security instead of dev-security,
sorry for the inconvenience...)

Hello,

I hope I am at the right place. I would like to better understand the
logic which led to the current situation regarding login forms autofill.

In particular, I wonder why there is an official recommendation to
change `signon.autofillForms` default value while, at the same time,
keeping the setting out of reach of casual users.

This is not a rant or something like that, on the contrary. I'm writing
an article for my blog explaining how to better use Firefox password
manager (I encounter too often non-tech people thinking that standalone
password managers praised by tech-people are overkill for them, which I
consider right, but their decisions afterwards are usually misguided and
very poor security-wise).

The so-called "sweep attack" allows an attacker to steal users
credential for various websites by quickly and successively simulating
the login form of each targeted websites, taking advantage of the
browser autofill feature to provide the matching credential to the
attacker without any user intervention.

This attack is mainly popular on rogue WiFi access points, but the
raised of malicious software targeting ISP-provided routers I would not
be surprised to find it also applied directly in users' home.

Firefox provides a setting, `signon.autofillForms`, which when set to
`false` makes Firefox to require a user intervention before filling an
authentication form.

This setting is documented here:
http://kb.mozillazine.org/Signon.autofillForms

By default it is set to `true`, the above mentioned documentation
recommends to change it to thwart this attack.

The reason why this value defaults to `true` is discussed in the bug
discussion attached to this KB:

https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c236

> we simply annoy and alienate all the users who expect autofill to work
> as it has since Firefox 1.0.

When asking non-tech people around me they seem neither "annoyed" nor
"alienated" with the flow of having to click on an login field to get
Firefox's drop down proposing to fill it automatically.

This bug being pretty old now (more than 10 years old), I wonder if such
statement still stands in todays Internet? Maybe users relation to
electronic devices has evolved since then?

The default is to have autofill enabled because of this historical
reason and the KB recommends to disable it for security reason.

While I may understand the choice for the default value, why is this
setting buried in the `about:config` screen then? Why isn't there a
checkbox in Firefox security settings allowing to enable/disable
authentication forms auto-filling?

Firefox built-in password manager targets casual users, and I feel bad
having to recommend those users to go in the `about:config` screen. I
feel also bad in keeping them from taking advantage of a nice and
well-done security feature just for the sake of avoiding to break their
"Firefox 1.0 experience".

Shouldn't `signon.autofillForms` be set to false by default? If not,
shouldn't a checkbox be proposed to allow casual users to easily change
it? And if not: why?

I'm sure this has been largely discussed in the past and there are good
reasons behind those choices, so I just would like to understand the
*why* because the current situation (default value = true, recommend
users to change it but bury the setting to prevent any easy change)
doesn't currently makes any sense to me.

I must miss something, thank you by advance for pointing me in the right
direction!

Regards,
Simon.

--
WhiteWinterWolf
https://www.whitewinterwolf.com
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Login forms autofill

Gervase Markham
In reply to this post by WhiteWinterWolf
On 02/11/17 11:23, WhiteWinterWolf wrote:
> In particular, I wonder why there is an official recommendation to
> change `signon.autofillForms` default value while, at the same time,
> keeping the setting out of reach of casual users.

The site you reference is not official, and so what is says is not an
official recommendation. It seems the Firefox developers have decided
that "true" is the correct value for this preference, and have further
decided it doesn't need UI.

Gerv
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Login forms autofill

WhiteWinterWolf
Le 02/11/2017 à 17:56, Gervase Markham a écrit :
> On 02/11/17 11:23, WhiteWinterWolf wrote:
>> In particular, I wonder why there is an official recommendation to
>> change `signon.autofillForms` default value while, at the same time,
>> keeping the setting out of reach of casual users.
>
> The site you reference is not official, and so what is says is not an
> official recommendation. It seems the Firefox developers have decided
> that "true" is the correct value for this preference, and have further
> decided it doesn't need UI.

Thank you for your answer. This is sad (from my personal point-of-view)
but this makes things logical now,

Regards,
Simon.

--
WhiteWinterWolf
https://www.whitewinterwolf.com
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Login forms autofill

Tanvi Vyas
Hello Simon,

Note that we also have an additional preference - signon.autofillForms.http
- that is set to false by default.  This preference turns of autofilling
passwords on HTTP pages without user interaction.  The user has to select
the username in order for the password to be filled.  The reason this
preference was added was to prevent attacks like the one you reference.

Thanks!

~Tanvi

On Thu, Nov 2, 2017 at 10:18 AM, WhiteWinterWolf <
[hidden email]> wrote:

> Le 02/11/2017 à 17:56, Gervase Markham a écrit :
>
>> On 02/11/17 11:23, WhiteWinterWolf wrote:
>>
>>> In particular, I wonder why there is an official recommendation to
>>> change `signon.autofillForms` default value while, at the same time,
>>> keeping the setting out of reach of casual users.
>>>
>>
>> The site you reference is not official, and so what is says is not an
>> official recommendation. It seems the Firefox developers have decided
>> that "true" is the correct value for this preference, and have further
>> decided it doesn't need UI.
>>
>
> Thank you for your answer. This is sad (from my personal point-of-view)
> but this makes things logical now,
>
> Regards,
> Simon.
>
> --
> WhiteWinterWolf
> https://www.whitewinterwolf.com
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Login forms autofill

WhiteWinterWolf
Hello Tanvi,

I already knew this setting, it highlights the desire from Mozilla to
keep the autofill feature active as much as possible, even if this means
security trade-offs:

- Initial issue: autofill fills credential even on forms submitting to
unusual third-party websites, some people expressed some concerns that
the autofill feature should be disabled but instead Firefox was modified
to more closely scrutinize the authentication form submission URL before
automatically filling it.

- Then it appeared that an attacker in control of the DNS answers can
keep the original URL while still redirecting automatic the
authentication forms submission to its own servers, so the setting you
mention has been added to limit autofilling to HTTPS forms.

- Then it appeared that JavaScript can be used to change the submission
URL once the authentication form has been automatically filled. I've
just checked with Firefox 52.4.0 on Linux Debian, Firefox is still
vulnerable to this attack: an attacker just has to change the submission
URL after Firefox automatically filled users credentials to send them to
any arbitrary HTTPS URL (frankly, I thought this was solved a long time
ago and reinforces me even more in my opinion).

- Would even Firefox be modified to handle automatically filled
authentication forms as a special case and turn some properties
read-only from JavaScript, potentially breaking some websites by the
way, this wouldn't prevent attacks relying on malicious or leaked CA
certificates for instance, + any additional techniques than the ones
mentioned above which most likely *will* be discovered in the future, as
long as browsers provide such functionality.


In my opinion, as a rule a web page should *never* be able to
automatically extract sensitive information from the browser's database
without user's consent.


- You can try to filter the form and submission URLs, the protocols, the
JavaScript methods, server certificates and I don't know what else and
still leave gaping holes in the process.

- Or you can simply require the user to click on an authentication form
to fill it. Problem solved.

In my opinion, the second option is both more secure, easier to
implement and more user friendly. But that's just my opinion.

Regards,
Simon.


Le 13/11/2017 à 22:27, Tanvi Vyas a écrit :

> Hello Simon,
>
> Note that we also have an additional preference - signon.autofillForms.http
> - that is set to false by default.  This preference turns of autofilling
> passwords on HTTP pages without user interaction.  The user has to select
> the username in order for the password to be filled.  The reason this
> preference was added was to prevent attacks like the one you reference.
>
> Thanks!
>
> ~Tanvi
>
> On Thu, Nov 2, 2017 at 10:18 AM, WhiteWinterWolf <
> [hidden email]> wrote:
>
>> Le 02/11/2017 à 17:56, Gervase Markham a écrit :
>>
>>> On 02/11/17 11:23, WhiteWinterWolf wrote:
>>>
>>>> In particular, I wonder why there is an official recommendation to
>>>> change `signon.autofillForms` default value while, at the same time,
>>>> keeping the setting out of reach of casual users.
>>>>
>>>
>>> The site you reference is not official, and so what is says is not an
>>> official recommendation. It seems the Firefox developers have decided
>>> that "true" is the correct value for this preference, and have further
>>> decided it doesn't need UI.
>>>
>>
>> Thank you for your answer. This is sad (from my personal point-of-view)
>> but this makes things logical now,
>>
>> Regards,
>> Simon.
>>
>> --
>> WhiteWinterWolf
>> https://www.whitewinterwolf.com
>> _______________________________________________
>> dev-security mailing list
>> [hidden email]
>> https://lists.mozilla.org/listinfo/dev-security
>>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>

--
WhiteWinterWolf
https://www.whitewinterwolf.com
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Login forms autofill

Richard Z
On Tue, Nov 14, 2017 at 12:02:40PM +0100, WhiteWinterWolf wrote:

...
...

> - Would even Firefox be modified to handle automatically filled
> authentication forms as a special case and turn some properties read-only
> from JavaScript, potentially breaking some websites by the way, this
> wouldn't prevent attacks relying on malicious or leaked CA certificates for
> instance, + any additional techniques than the ones mentioned above which
> most likely *will* be discovered in the future, as long as browsers provide
> such functionality.

in addition to all security risks there is also a potential privacy issue,
websites will know that its you as soon as the login (or any other) form
is autofilled even long before you hit login. Yet another method of tracking.

> - Or you can simply require the user to click on an authentication form to
> fill it. Problem solved.
>
> In my opinion, the second option is both more secure, easier to implement
> and more user friendly. But that's just my opinion.

makes sense in todays world.


Richard

--
Name and OpenPGP keys available from pgp key servers

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security