When I click the create button.
in passbolt using Firefox, my passbolt passphrase is autofilled by firefox. If I then save the new password and copy it into a web service where I am creating an account, my passbolt passphrase is leaked to the 3rd party web service.
Possible solutions:
name attribute of the field to something other than password.Hi @timthelion Welcome to the forum!
It seems you are describing two different events - but maybe I am misunderstanding. Can you elaborate more on the part where you say “my passbolt passphrase is autofilled by firefox”? Are you referring to the passphrase used to access passbolt? I use FF and I always paste in my passphrase manually - it never autofills and does not ask for me to save it, that I recall.
You show when a new password is being created by the passbolt extension (not Firefox itself) - and then when you copy it to where you are creating an account that’s obviously not a leak because you are copying it yourself. How are you saying the passphrase is leaked and to which 3rd party web service are you referring?
BTW if you haven’t read this yet it’s a recent writeup regarding a passbolt security audit.
I have firefox configured to autofill my passphrase when I log into passbolt. The same passphrase is autofilled when I click on the button to create a new password entry in passbolt. Yes, I am talking about the passphrase used to access passbolt. When I then save that new entry and copy the “new” password into a 3rd party service of course my passbolt passphrase is leaked to that 3rd party service.
So I’ve been looking into this. The relevant line in the source code is here:
I originally thought it would suffice to change the name password to something like new-password so that firefox knows that this field is not as the same as the field used to log in to the passbolt but actually passbolt already uses a different field name for the passphrase (they use passphrase…):
So I guess the first option is best, automatically fill this field in a callback with an actually randomly generated password. This would be faster for users as well, as it should be the default and automatic thing to do…
Hi @timthelion,
Thanks for the report.There are several things with the issue you reported.
Firstly it only affect people that use the browser password manager to autofill their passphrase on passbolt, and who do not click on the generate password when creating a new password afterward. So we can consider this more of an edge case than a security issue warranting immediate fix. So in the short term, the best option as @garrett pointed out is tell tell the browser password manager not to do this.
Secondly, I agree on the long term it does make sense to fix this. Rather than autogenerating a password autocomatically, I think it is probably best to use the same technique than for the username, e.g. using autocomplete="off" (How to turn off form autocompletion - Web security | MDN). Of course if other thinks differently we can revisit.
I’ll create a ticket in our backlog to add this to a future development cycle.
We’ll keep this thread on the community forum opens to track progress.
Cheers,
Yes these are good points @timthelion. As I think on this, I always turn off autocompletion in the browser settings as part of my setup for a new browser install. Though of course this has nothing to do with passbolt it does completely change my experience and I never considered this scenario before.
I also don’t use the FF password manager because I use passbolt for all my personal non-work passwords. Since the passbolt extension can be installed on multiple browsers to provide use from multiple locations, it gives me access from another computer like the FF password manager would.
If you don’t mind my asking, and since you were nice enough to mention the conflict that using both creates, do you have to use both? I’m just curious about your use case and if there was a specific reason to use both or if the FF password manager afforded you something passbolt could not.
Thanks again.
My main usecase for having autocomplete on is that I have over 25 users, many of whom are external contractors, and there is no way for me to mandate their browser configuration to them. Secondary to that, I use passbolt only for organization owned accounts. My personal accounts are all in keepass and I use form autofilling for them.
Btw, auto-complete=off won’t work you need auto-complete=new-password How to turn off form autocompletion - Web security | MDN
BTW @remy I understand that it can be frustrating to have to go through the process of admitting to having a security problem, but the way you edited the subject of this topic is in effect sweeping the problem under the rug. This is not anything but a security problem. It doesn’t annoy users, it doesn’t end up requiring more mouse clicks to do the right thing. The only effect of this issue is to leak the user’s passphrase to a third party service without the user’s knowledge. It would reflect far better on the project to openly admit to this as a security problem. Indeed, when I look through a list of CVE’s on a project and see a bunch of trivialities, I think that the organization takes security seriously, I don’t think that the software is insecure. You’ve just paid a bunch of money to have a pentesting organization create a security audit in which they came up with a bunch of hypotheticals. Somehow they didn’t come across this real issue. I really think you should change the title back.
@timthelion If you read the instructions for this section the title is supposed to follow the form you now see. He beat me to it in changing it - I would have done it myself but I wasn’t sure what the actual issue was. It’s part of moderation and organization of the site: we sometimes edit the title and put it in the right category.
Your original points were deemed valid but not security issues. Everything is fine, please don’t take unnecessary offense with the title.