If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

password remembering in plain text




Firefox for Android
2 months ago
28 days ago


(Reporter: Prasad, Unassigned)


54 Branch

Firefox Tracking Flags

(Not tracked)




2 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce:

1.There is a vulnerability having in android OS which is using Firefox browser.

2.When ever we trying to login the application using URL is www.gmail.com it will show user field and password field.

3.if success user name is there it will redirect to password field form.

4. here we will see previous login attempts which are entered either success login or failure logins too. which password is showing in plain text format.

5.after clearing the history and cache it is showing plain test format in application. please find the above images as will. 

6. after deleting history second time for same URl and same account www.gmail.com.

7.then we will see previous login attempts if double click the password field which are stored in application level and which are in plain text. in previous success and failed login attempts.

Actual results:

Android Firefox browser having vulnerability that when a web page is being access the password it is remembering the previous entered passwords after deleting the history and cache too. it might be possible to access the private or sensitive data exchanged within the session through the web browser cache.

Expected results:

1.Remove remembering passwords fields.
2.Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in cookies.


2 months ago
Flags: needinfo?(lingamaiah.prasad)


2 months ago
Flags: needinfo?(lingamaiah.prasad)
OS: Unspecified → Android
I am not able to reproduce this behavior in Firefox for Android Nightly v56
Group: firefox-core-security

I've also tried reproducing this issue but was unsuccessful in my attempts. Leaving this open for the moment and will keep an eye open for this kind of behavior.
You need to log in before you can comment on or make changes to this bug.