mooltipass/extension

Autofill and submit credentials with card removed

ai212983 opened this issue · 2 comments

  1. Go to some website with login form
  2. Add username/password to Mooltipass, enable autosubmit
  3. Refresh the page if necessary, observe auto-login
  4. Remove card from Mooltipass
  5. Logout from the website
  6. Probably redirected to login page, if not, navigate to login page.
  7. Observe auto-login with Mooltipass without card

Can not provide specific site, as its Artifactory on our internal network. Looks like a huge security problem to me. No way password should be in the system once card is not in the device.

N.B. Looks related to #52 and credentials caching

thanks for the report! we'll update the extension ASAP to tackle that.

We still haven't forgotten this issue :). FYI this is due to our 30 seconds credential buffer dedicated to that very tab (no other) so the problem is limited.