Huge security issue when sharing folder

[SamuelBenard]

The steps to share a folder and and a password are automatic and this could lead to big security issue if associated to browser's autofill feature.

Steps to reproduce

1. Save your login credentials in your browser
2. Login
3. Create a folder
4. Share it and enter an email (put you email as a test)
5. You should receive an email saying that your cloud shared a folder with you
6. On yout cloud page, In the email field, the email has been replaced by your login
7. Click the 3 dots to "protect with a password"
8. You receive an email with you login password

Expected behaviour

Shouldn't send password without confirmation, button or else

Actual behaviour

Sends the login password because of the autofill feature of the browser

Server configuration

Operating system:
Linux debian

Web server:
Apache 2

Database:
Mysql

PHP version:
7.2

Nextcloud version: (see Nextcloud admin page)
13.0.2

[skjnldsv]

Hey :)
It is supposed to be fixed, see #7461

[illukas]

Firefox 60 will ignore the 'new-password' property of the password field and still auto-fill it.
As a workaround its possible to duplicate the password fields and set the second one as not visible - with two fields present, Firefox is unable to decide which to auto-fill and will not fill either.

[MorrisJobke]

Firefox 60 will ignore the 'new-password' property of the password field and still auto-fill it.
As a workaround its possible to duplicate the password fields and set the second one as not visible - with two fields present, Firefox is unable to decide which to auto-fill and will not fill either.

This sounds like a bug in Firefox. Could you report it there as well and check if this is the wanted behavior?

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input#attr-autocomplete

[illukas]

This sounds like a bug in Firefox.

According to this, it is intended behaviour: https://bugzilla.mozilla.org/show_bug.cgi?id=1353035

I don't agree with Mozilla. Its a huge security issue in Nextcloud's case, when LDAP auth is enabled and users have their AD domain passwords saved in FF's password manager.

Until Mozilla introduces a change in their browser, would it possible for the Nextcloud team to engineer a workaround for this? Considering that even if Firefox starts honoring the 'autocomplete=off/new-password' in the future; it would still be an issue on older versions of the browser.

#10647 Could be a viable workaround if implemented.

[DBJRdev]

Can confirm this issue still persists in Nextcloud 13.0.6 and Firefox 61.0.1.

The problem is that you can easily send out your password by accident, because of the dangerous combination of autofill + Nextcloud sending the share email out without a confirm button.

"Workarounds" for the moment: don't save your NC login in Firefox or save more than one NC account credentials in Firefox, because then autofill won't happen.

[skjnldsv]

Fixed with #15719