Closed Bug 933223 Opened 11 years ago Closed 11 years ago

Firefox Inspector window is used to un-mask entered password in all top sites.

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
24 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jain.sumith, Unassigned)

References

Details

Attachments

(1 file)

Unmask PWD.JPG
167.03 KB, image/jpeg
Details
Attached image Unmask PWD.JPG 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131025151332

Steps to reproduce:

Steps to reproduce the vulnerability:

1. In Firefox 24.0, User 1 opened Gmail/Login page, https://accounts.google.com.

2.  Enter valid email and password (ensure password is masked)

3. without clicking on 'Login' button, User1 went away for coffee.

4. User2 got an access of user1 pc with gmail/facebook credentials entered in step2.

5. User2 clicks inside password field and right click -> Inspect Element option.

6. Observe that user can see Inspector console window at the bottom of browser with password html tag selected - <input id="Passwd" class="" type="password" placeholder="Password" name="Passwd"></input>.

7. User 2 edited above tag's type value as "text" in place of password and enter i.e. changed to <input id="Passwd" class="" type="text" placeholder="Password" name="Passwd"></input>.

8. Observe that the password field value is shown in password field as normal text (password unmasked) that means user2 hijacked password of user1.



Actual results:

User can unmask the masked password entered (with asterisks or dots) using Firefox inspector window for all the top sites like facebook, gmail,live login page.


Expected results:

Browser should not give access to edit important html tags properties using inspector window which results in password steal.
Well-known: this is how web password fields work, and there are many ways to accomplish this including using JS from the console or even a JS bookmarklet.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Benjamin, but this behavior making other users to see their passwords easily in all sites like facebook, gmail, paypal etc, Don't it be serious threat. Can't ir be fixed ?
HI Benjamin/Curtis/YF, 

 My Tickets are marked as duplicate of this BUG... thats ok with me.. But should this be considered as a fix that should be added in any further releases please.. Its a real threat specially considering a situation of an Internet Cafe where in a single PC is being share by multiple people... 

 kindly let me know your thoughts...

Regards
Amith K
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: