Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76478

Browsers auto-completing the user's password into inappropriate password unmask form fields

    XMLWordPrintable

Details

    • MOODLE_311_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_311_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE
    • MDL-76478-password-unmask-MOODLE_401_STABLE
    • MDL-76478-password-unmask
    • Hide
      1. Open Moodle on Chrome/Edge/Firefox on a moodle site that is setup so it uses https (use ngrok if needed)
      2. Make sure that you set your browser to fill password automatically (https://support.mozilla.org/en-US/kb/autofill-logins-firefox)
      3. Create a student S1
      4. Add a course C1
      5. Add a quiz Q1 (no need to add questions)
      6. Enrol the student S1 in the course
      7. Log out
      8. Login as S1 and make the browser save your credentials
      9. Confirm your credentials are auto populated in the login form
      10. # Logout
      11. Login as admin
      12. Go to the Q1
      13. Turn editing on
      14. Go to the User overrides of the quiz (Secondary navigation More > Overrides)
      15. Add a user override
      16. Toggle the password to visible
      17. Confirm your password is NOT autocompleted
      Show
      Open Moodle on Chrome/Edge/Firefox on a moodle site that is setup so it uses https (use ngrok if needed) Make sure that you set your browser to fill password automatically ( https://support.mozilla.org/en-US/kb/autofill-logins-firefox ) Create a student S1 Add a course C1 Add a quiz Q1 (no need to add questions) Enrol the student S1 in the course Log out Login as S1 and make the browser save your credentials Confirm your credentials are auto populated in the login form # Logout Login as admin Go to the Q1 Turn editing on Go to the User overrides of the quiz (Secondary navigation More > Overrides) Add a user override Toggle the password to visible Confirm your password is NOT autocompleted

    Description

      If the user has set Chrome (107.0.5304.122) or Edge (107.0.1418.56) to save and autofill the username and password of the Moodle site, when he/she creates a quiz and enables the use of Safe Exam Browser (Yes - Configure manually) the browser automatically fills the "Quit password" field with the user's password without even noticing it until the students end the quiz and they are forced to tell them their password to be able to finish the quiz (!!!).

      This behaviour can be detected when creating the quiz because the browser also add the username to the quiz name.

      This same issue also happens when adding user/group overrides to the quiz (it adds the user password to the override password field).

      It doesn't happen with Firefox 107.0

      I don't think this is actually a Moodle security issue but one for the browsers, but the effects are surely a security problem so I've added that flag to this issue

      Steps to replicate the issue:

      • Open Moodle on Chrome/Edge
      • Log in the site and make the browser save your credentials
      • Go to a course where you have editing capabilities

      Issue A (SEB):

      • Turn editing on
      • Add a quiz
      • Enable the use of Safe Exam Browser (Yes - Configure manually)
      • Save changes (without even touching the "Quit password" setting)
      • Notice that the SEB Quit password is the users' password (you can check it querying the database or trying to answer the quiz)

      Issue B (user overrides):

      • Turn editing on
      • Add a quiz
      • Go to the User overrides of the quiz
      • Add a user override
      • Save changes (without even touching the "Require password" setting)
      • Notice that the override's 'Require password' is the users's password (you can check it querying the database or trying to answer the quiz logged in as that overridden user)

      Attachments

        Issue Links

          Activity

            People

              Votes:
              36 Vote for this issue
              Watchers:
              51 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 11 minutes
                  1h 11m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.