Closed
Bug 1310915
Opened 8 years ago
Closed 8 years ago
Security Vulnerability -- can view saved passwords for users by modifying input type in inspector
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 933223
People
(Reporter: mike, Unassigned)
Details
Attachments
(1 file)
45.94 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160623154057 Steps to reproduce: After entering master password once, it is possible to visit any site and retrieve the actual plaintext version of any password -- this poses a huge security risk as their passwords could be stolen by malicious plugins/scripts -- How its done: 1. Enter your master password to auto-fill in saved login/password for any ole site 2. login to any site. 3. Now visit a different secure site like that has a saved password stored 4. Navigate to the login page where you would normally enter your password 5. Auto-fill in the login credentials that you have saved, but _don't_ actually login 6. Right click on the Password field where you should see a series of masked chars covering over your password 7. Click on Inspect 8. Click on the type attribute in the input element that says type="password" 9. Change it to type="text" Actual results: Voila, The password is revealed without having to re-enter the master password (unlike the show passwords function) Expected results: Changing an input element with type="password" which is not blank should not reveal your password if it has been auto-filled in via password manager without asking you for the master password first.
Updated•8 years ago
|
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•