Autofill and submit credentials with card removed
ai212983 opened this issue · 2 comments
ai212983 commented
- Go to some website with login form
- Add username/password to Mooltipass, enable autosubmit
- Refresh the page if necessary, observe auto-login
- Remove card from Mooltipass
- Logout from the website
- Probably redirected to login page, if not, navigate to login page.
- Observe auto-login with Mooltipass without card
Can not provide specific site, as its Artifactory on our internal network. Looks like a huge security problem to me. No way password should be in the system once card is not in the device.
N.B. Looks related to #52 and credentials caching
limpkin commented
thanks for the report! we'll update the extension ASAP to tackle that.
limpkin commented
We still haven't forgotten this issue :). FYI this is due to our 30 seconds credential buffer dedicated to that very tab (no other) so the problem is limited.