Closed Bug 1835213 Opened 1 years ago Closed 1 years ago

Firefox treats *.ca.gov the same for saved login prompt

Categories

(Toolkit :: Password Manager, defect, P3)

Product:
Toolkit
Component:
Password Manager
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1663270

People

(Reporter: abuse, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

Screen Shot 2023-05-25 at 21.41.04.png
(deleted), image/png
Details
Attached image Screen Shot 2023-05-25 at 21.41.04.png (deleted) —

FF 113.0.1 (64-bit)

Is this a vuln? I go to https://www.lemongrove.ca.gov/community/service-requests & click into the email box, and I'm prompted to use my saved login for www.dmv.ca.gov

Not every *.ca.gov is the same, Firefox... does this happen across *.co.uk domains too?

Firefox should not be leading people to accidentally provide their logins to different sites based on part of a domain name.

Flags: sec-bounty?

TBZ, thanks for the report!

Most likely this is a duplicate of the bug 1610556 or bug 1822796, but lets keep this one open until we verify.

Severity: -- → S3
Component: Security → Password Manager
Priority: -- → P3
Product: Firefox → Toolkit
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1822796

This kind of feels like something the effective TLD service is for.

This kind of feels like something the effective TLD service is for.

Yes, it is. The .gov registry has not added any sub-entries to gov. Here's our current copy of the public suffix list, but you can view the source for this (used by all modern browsers) at https://publicsuffix.org/ :
https://searchfox.org/mozilla-central/rev/0c2945ad4769e2d4428c72e6ddd78d60eb920394/netwerk/dns/effective_tld_names.dat#1153-1154

Not every *.ca.gov is the same, Firefox... does this happen across *.co.uk domains too?

No, because the UK registry added co.uk to the public suffix list:
https://searchfox.org/mozilla-central/rev/0c2945ad4769e2d4428c72e6ddd78d60eb920394/netwerk/dns/effective_tld_names.dat#5941-5954

We could try to hand-patch this specific failure, but while adding the 50 states might be obvious, we don't have any clue about anything else. By not adding these entries there are a number of potential security issues that .gov sites are opening themselves up to. That's outside our control—and should be! we have no idea how sub-domains are managed unless the owner declares it. There are several features (and other products) that depend on the PSL and we don't know if adding entries would break one of those other features. Likely not—likely this is just the US gov't not caring—but we can't be sure.

I don't understand why bug 1822796 itself isn't a duplicate: this potential for confusion was known (and reported repeatedly) ever since the "related sites" prompts appeared in pre-release versions. bug 1610556 is a suggestion to improve the situation, but that follows from acknowledging the original problem. Note: we're not going to completely remove the feature because it has been a tremendous help on the many sites that have different "sign up" sub-domains from their "login" domain, or for sites that restructure over time and use different sub-domains

Status: UNCONFIRMED → RESOLVED
Closed: 1 years ago
Duplicate of bug: 1610556
Resolution: --- → DUPLICATE
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1601558, https://bugzilla.mozilla.org/show_bug.cgi?id=589628
Group: firefox-core-security
Depends on: 1610556
Duplicate of bug: 1663270
No longer duplicate of bug: 1610556
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: