Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autofill and submit credentials with card removed #118

Open
ai212983 opened this issue Nov 16, 2021 · 2 comments
Open

Autofill and submit credentials with card removed #118

ai212983 opened this issue Nov 16, 2021 · 2 comments

Comments

@ai212983
Copy link

ai212983 commented Nov 16, 2021
edited
Loading

  1. Go to some website with login form
  2. Add username/password to Mooltipass, enable autosubmit
  3. Refresh the page if necessary, observe auto-login
  4. Remove card from Mooltipass
  5. Logout from the website
  6. Probably redirected to login page, if not, navigate to login page.
  7. Observe auto-login with Mooltipass without card

Can not provide specific site, as its Artifactory on our internal network. Looks like a huge security problem to me. No way password should be in the system once card is not in the device.

N.B. Looks related to #52 and credentials caching
@ai212983 ai212983 changed the title Autofill and submit passwords with card removed Autofill and submit credentials with card removed Nov 16, 2021
@limpkin
Copy link
Contributor

limpkin commented Nov 21, 2021

thanks for the report! we'll update the extension ASAP to tackle that.

@limpkin
Copy link
Contributor

limpkin commented Jan 8, 2022

We still haven't forgotten this issue :). FYI this is due to our 30 seconds credential buffer dedicated to that very tab (no other) so the problem is limited.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ai212983 @limpkin