Closed Bug 1268760 Opened 10 years ago Closed 10 years ago

Password can be hacked using developer tool

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
44 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: bnivetha, Unassigned)

Details

Attachments

(3 files)

Bugzilla login Screenshot
289.38 KB, image/png
Details
Uber login Screenshot
54.73 KB, image/png
Details
Screen Shot 2016-05-05 at 09.37.38.png
398.79 KB, image/png
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20160210153822 Steps to reproduce: 1. Open log-in page of websites like Facebook, Flipkart, Bugzilla etc. 2. Press F12 (to open Developer tool) 3. Open 'Network' view in developer tool 4. Provide webpage credentials and login 5. Select the 'POST' method that is likely to contain website password as part of its query string 6. Select 'Params' tab in the request details view Actual results: The password is shown here unencrypted (refer attached screenshot for reference; Password has been blacked out in this screenshot) Expected results: Sensitive information like password should not be shown
Whiteboard: DUPEME
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
Attached image Uber login Screenshot
This bug is not the duplicate of bug 933223; In bug 933223: " 6. Observe that user can see Inspector console window at the bottom of browser with password html tag selected - <input id="Passwd" class="" type="password" placeholder="Password" name="Passwd"></input>. 7. User 2 edited above tag's type value as "text" in place of password and enter i.e. changed to <input id="Passwd" class="" type="text" placeholder="Password" name="Passwd"></input>. " But in this bug, password is just directly visible to user in the Network->Params tab. User DOES NOT HAVE TO EDIT the tag's value in this case. Pl refer second screenshot attached also. Also please note that this bug is not there in any other browser.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
(In reply to bnivetha from comment #3) > Pl refer second screenshot attached also. Also please note that this bug is > not there in any other browser. This isn't true; Chrome will show you exactly the same information, as shown in the bottom of this screenshot. (obviously, my password isn't actually abcdef...) I'm happy to mark this bug 'invalid' individually if you don't like me marking it a duplicate, but the fact is that it isn't a bug that developer tools let you inspect everything about how a page works, including password fields, and including the full contents of form submissions.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: