1310915 - Security Vulnerability -- can view saved passwords for users by modifying input type in inspector

Status: RESOLVED DUPLICATE of bug 933223

(Firefox :: Untriaged, defect)

Description

[mike]

Attachment: PasswordFormSecurity.PNG

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160623154057

Steps to reproduce:

After entering master password once, it is possible to visit any site and retrieve the actual plaintext version of any password -- this poses a huge security risk as their passwords could be stolen by malicious plugins/scripts --

How its done:

1.  Enter your master password to auto-fill in saved login/password for any ole site
2.  login to any site.  
3.  Now visit a different secure site like that has a saved password stored
4.  Navigate to the login page where you would normally enter your password
5.  Auto-fill in the login credentials that you have saved, but _don't_  actually login
6. Right click on the Password field where you should see a series of masked chars   covering over your password
7.  Click on Inspect
8.  Click on the type attribute in the input element that says  type="password"   
9.  Change it to   type="text"



Actual results:

Voila,  The password is revealed without having to re-enter the master password (unlike the show passwords function)


Expected results:

Changing an input element with type="password" which is not blank should not reveal your password if it has been auto-filled in via  password manager without asking you for the master password first.