[HTTPS-Everywhere] Security issue: HTTPS-Everywhere leaks HTTP login data to console output
Natanji
natanji at gmail.com
Tue Jun 19 14:03:05 PDT 2012
I noticed this when using Xmarks with the "own server" feature. This
will make Xmarks authenticate to the server using a username and
password in the standard HTTP way of username:password at domain. Whenever
Xmarks establishes a connection, this will lead to the following text
being printed to console:
no loadgroup notificationCallbacks for
https://<user>:<password>@<domain>/bookmarks.html
It goes without saying that something as sensitive as login credentials
should *never* be leaked as cleartext to console.
According to [1], the exception occurs because HTTPS Everywhere tries to
find the window that the https request is coming from - in the case of a
background plugin, such a window of course doesn't exist, hence that
text is printed to the terminal.
I recommend to just remove the whole "no loadgroup
notificationCallbacks" message unless some option in Firefox is making
it clear that debugging on console is happening; for instance by
checking if browser.dom.window.dump.enabled is set. But I guess you will
figure something out.
If you have any questions, I'll gladly answer them (I'm not part of this
mailing list, so remember to CC any messages in this topic to me).
Regards,
Natanji
[1] https://mail2.eff.org/pipermail/https-everywhere/2012-May/001432.html
More information about the HTTPS-everywhere
mailing list