Security Vulnerability -- can view saved passwords for users by modifying input type in inspector

RESOLVED DUPLICATE of bug 933223

Status

()

RESOLVED DUPLICATE of bug 933223
2 years ago
2 years ago

People

(Reporter: mike, Unassigned)

Tracking

47 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8801980 [details]
PasswordFormSecurity.PNG

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160623154057

Steps to reproduce:

After entering master password once, it is possible to visit any site and retrieve the actual plaintext version of any password -- this poses a huge security risk as their passwords could be stolen by malicious plugins/scripts --

How its done:

1.  Enter your master password to auto-fill in saved login/password for any ole site
2.  login to any site.  
3.  Now visit a different secure site like that has a saved password stored
4.  Navigate to the login page where you would normally enter your password
5.  Auto-fill in the login credentials that you have saved, but _don't_  actually login
6. Right click on the Password field where you should see a series of masked chars   covering over your password
7.  Click on Inspect
8.  Click on the type attribute in the input element that says  type="password"   
9.  Change it to   type="text"



Actual results:

Voila,  The password is revealed without having to re-enter the master password (unlike the show passwords function)


Expected results:

Changing an input element with type="password" which is not blank should not reveal your password if it has been auto-filled in via  password manager without asking you for the master password first.

Updated

2 years ago
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 933223
You need to log in before you can comment on or make changes to this bug.