Password field issue
33 views
Skip to first unread message
Brad Silcox
Apr 17, 2018, 11:28:29 AM4/17/18
to mooltipass
All,
Ok, so at first it seemed it was my older Asus routers, now the problem is showing up on admin.google.com as well as within my Synology UI. What I am seeing is the mooltiapp throwing the main login password into any sub-password fields. It is doing this without asking confirmation on the device (after the initial login confirmation). I've had to ignore these domains in order to make resetting passwords on subaccounts possible. Could it be something I'm doing? I'm afraid a similar exploit could be used to capture credentials into a hidden field on an imposter site, is this a legitimate worry here?
Regards,
Brad
mathieu...@gmail.com
Apr 17, 2018, 11:31:49 AM4/17/18
to Brad Silcox, mooltipass
Hello Brad,
We do maintain a credentials cache, but only for login forms that do have the same domain... so imposter sites won't be able to use that trick.
Could you let us know which sub-password fields create the problem on google.com so we can investigate? Ideally a list of action would be best.
Mathieu
--
You received this message because you are subscribed to the Google Groups "mooltipass" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mooltipass+unsubscribe@googlegroups.com.
To post to this group, send email to moolt...@googlegroups.com.
Visit this group at https://groups.google.com/group/mooltipass.
For more options, visit https://groups.google.com/d/optout.
Brad Silcox
Apr 17, 2018, 11:53:59 AM4/17/18
to mathieu...@gmail.com, mooltipass
Mathieu,
Both of the fields will populate with my credentials (overwriting what values may have been in the field before).
The actions on google are domain admin actions from admin.google.com. These include resetting passwords on sub-accounts or creating new accounts. Without looking to far into other ways to replicate you might be able to replicate a similar issue with managing users or other settings within the Synology UI using their live demo https://www.synology.com/en-us/dsm/live_demo
Both of the fields will populate with my credentials (overwriting what values may have been in the field before).
Specifying my DDNS settings is one of the numerous sub-password fields that tries to grab my main login credentials. Could we have a setting for individual domains that allow us to modify the behavior, IMHO I would default to a non-cached method and only allow the few sites I would need the caching on (for password confirmations etc, I think having to reauth on the device would be less of a headache versus caching).
Regards,
Brad
Brad Silcox
Apr 17, 2018, 12:14:03 PM4/17/18
to mathieu...@gmail.com, mooltipass
Mathieu,
I've confirmed the Synology Demo site replicates the issue, but it requires a little work. I've outlined replication steps below:
Firefox (with scripting enabled)
1. Browse to: https://www.synology.com/en-us/dsm/live_demo
2. Select "Try it now for free!" and Launch if necessary.
3. Go to Control Panel > Users
4. Create a test user and assign admin/full privledges
Chrome
1. Copy the URL from Firefox (https://a##.demo.synology.de:5001)
2. Login with your recently created user credentials and save them to the Mooltipass
3. Use the profile icon in the top right and logout.
4. Login screen should auto prompt MP for credentials, select allow.
5. Navigate back to users and open up the "synology" user and observe the following change (username and password fields are overwritten):
I hope that helps, I'd love to still be prompted for my initial login (storing it as a favorite helps the speed of accessing the credentials however lacks the convenience, I'll have a long favorites list at this rate).
Regards,
Brad
mathieu...@gmail.com
Apr 17, 2018, 12:16:31 PM4/17/18
to Brad Silcox, mooltipass
Hello Brad,
Thanks for the detailed guide!
I'll pass it along to our developers.
Mathieu
mathieu...@gmail.com
Apr 25, 2018, 5:20:59 PM4/25/18
to Brad Silcox, mooltipass
Hello Brad,
I'm fairly sure we have fixed your bug in our pre-release channel! Brad Silcox
May 1, 2018, 3:09:48 AM5/1/18
to mathieu...@gmail.com, mooltipass
Mathieu,
I finally got around to updating the extension and and confirm at least from my first test the issue seems to be addressed, the device is reprompting for credential use and not overwriting the existing values for username/passwords. I'll keep an eye on the few other services I saw similar behavior but hopefully that should fix it.
Regards,
Brad
I finally got around to updating the extension and and confirm at least from my first test the issue seems to be addressed, the device is reprompting for credential use and not overwriting the existing values for username/passwords. I'll keep an eye on the few other services I saw similar behavior but hopefully that should fix it.
Regards,
Brad
mathieu...@gmail.com
May 1, 2018, 3:11:19 AM5/1/18
to Brad Silcox, mooltipass
Thanks for the confirmation!
I'll push to master very soon.
To unsubscribe from this group and stop receiving emails from it, send an email to mooltipass+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages