yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1116168] Re: Login form allows autocompletion by browser

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 21 Feb 2013 09:03:38 -0000
Reply-to: Bug 1116168 <1116168@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1116168

Title:
  Login form allows autocompletion by browser

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  The AUTOCOMPLETE attribute, which is used by web developers to
  indicate when web browsers should retain information relating to web
  forms, is not disabled on form input elements relating to passwords.

  An attacker, who gains access to the computer, either locally or
  through some remote compromise, can capture the stored credentials.
  Further, methods have existed whereby a malicious web site can
  retrieve the stored credentials for other applications, by exploiting
  browser vulnerabilities or through application-level cross-domain
  attacks.

  It is recommended that the AUTOCOMPLETE attribute on all sensitive
  forms should be disabled.

  I have prepared a suggested patch in this pull request:
  https://github.com/openstack/horizon/pull/21

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1116168/+subscriptions