Closed
Bug 933223
Opened 11 years ago
Closed 11 years ago
Firefox Inspector window is used to un-mask entered password in all top sites.
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jain.sumith, Unassigned)
References
Details
Attachments
(1 file)
167.03 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131025151332 Steps to reproduce: Steps to reproduce the vulnerability: 1. In Firefox 24.0, User 1 opened Gmail/Login page, https://accounts.google.com. 2. Enter valid email and password (ensure password is masked) 3. without clicking on 'Login' button, User1 went away for coffee. 4. User2 got an access of user1 pc with gmail/facebook credentials entered in step2. 5. User2 clicks inside password field and right click -> Inspect Element option. 6. Observe that user can see Inspector console window at the bottom of browser with password html tag selected - <input id="Passwd" class="" type="password" placeholder="Password" name="Passwd"></input>. 7. User 2 edited above tag's type value as "text" in place of password and enter i.e. changed to <input id="Passwd" class="" type="text" placeholder="Password" name="Passwd"></input>. 8. Observe that the password field value is shown in password field as normal text (password unmasked) that means user2 hijacked password of user1. Actual results: User can unmask the masked password entered (with asterisks or dots) using Firefox inspector window for all the top sites like facebook, gmail,live login page. Expected results: Browser should not give access to edit important html tags properties using inspector window which results in password steal.
Comment 1•11 years ago
|
||
Well-known: this is how web password fields work, and there are many ways to accomplish this including using JS from the console or even a JS bookmarklet.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 2•11 years ago
|
||
Benjamin, but this behavior making other users to see their passwords easily in all sites like facebook, gmail, paypal etc, Don't it be serious threat. Can't ir be fixed ?
Comment 8•10 years ago
|
||
HI Benjamin/Curtis/YF, My Tickets are marked as duplicate of this BUG... thats ok with me.. But should this be considered as a fix that should be added in any further releases please.. Its a real threat specially considering a situation of an Internet Cafe where in a single PC is being share by multiple people... kindly let me know your thoughts... Regards Amith K
You need to log in
before you can comment on or make changes to this bug.
Description
•