Closed Bug 250337 Opened 20 years ago Closed 20 years ago

URL-bar history shows http://username:password@site (insecure)

Categories

(Firefox :: Address Bar, enhancement)

Product:
Firefox
Component:
Address Bar
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 88771

People

(Reporter: bugzilla, Assigned: bugs)

Details

Attachments

(1 file)

Screenshow
(deleted), image/gif
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040707 Firefox/0.8.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040707 Firefox/0.8.0+ URL-bar history shows http://username:password@site. This feature can be quite insecure, because it's (too) easy to steal passwords this way. Either it should be switched off by default, made completely impossible, of the user should make some kind of choice. Reproducible: Always Steps to Reproduce: 1. Go to a http-auth site, and supply the username/pass by entering http://<username>:<pass>@<site with http-auth>/ 2. Click into the URL bar, and start typing the <username> (or use the drop-down button) 3. Notice that the autocompletion shows the password (or is showed in the drop-down menu) Actual Results: I see the password. Expected Results: Firefox shouldn't have showed the passwords, only the usernames and asked for the password instead.
Attached image Screenshow (deleted) —
Couldn't find a firefox bug on this, but see seamonkey bugs: bug 146289 bug 88771 bug 130327 Confirming.
Assignee: firefox → bugs
Status: UNCONFIRMED → NEW
Component: General → Location Bar and Autocomplete
Ever confirmed: true
QA Contact: firefox.general → davidpjames
*** This bug has been marked as a duplicate of 88771 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
V/dupe.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: