Created attachment 8801980 [details] PasswordFormSecurity.PNG User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160623154057 Steps to reproduce: After entering master password once, it is possible to visit any site and retrieve the actual plaintext version of any password -- this poses a huge security risk as their passwords could be stolen by malicious plugins/scripts -- How its done: 1. Enter your master password to auto-fill in saved login/password for any ole site 2. login to any site. 3. Now visit a different secure site like that has a saved password stored 4. Navigate to the login page where you would normally enter your password 5. Auto-fill in the login credentials that you have saved, but _don't_ actually login 6. Right click on the Password field where you should see a series of masked chars covering over your password 7. Click on Inspect 8. Click on the type attribute in the input element that says type="password" 9. Change it to type="text" Actual results: Voila, The password is revealed without having to re-enter the master password (unlike the show passwords function) Expected results: Changing an input element with type="password" which is not blank should not reveal your password if it has been auto-filled in via password manager without asking you for the master password first.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 933223
You need to log in before you can comment on or make changes to this bug.