User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Build ID: 20170628075643 Steps to reproduce: if a person logs in in his/hers facebook account en logout again. Afterwords it is very easy to gain acces to a users password. Very big issue on public computers. i filmed it with my ipad and did give some comment. You can find the filmed part in the attachement. Tis bug is huge and want to claim the maximun reward. my bank account number is :BE21 7380 2165 8203 Actual results: so once when a person is logged out with a saved password in the browser it is very easy to gain acces. richtclick on the dots where the password is. go inspect element , then delete under " type= password" , the word password en hit enter!!!! the password will be available to read where the dots where. see print screen in attachement. Expected results: well actually on when a persons delete the "password" string in type="password" that should not allow the dots to become visible as the actual password. Imagen what a simple scrypt in python could do !!!!!!!!! Do not make this bug public until resolved. You can alwas contact me on email@example.com or 0032497623575 i think i deserve the maximun bug reward for this one. Kind regards Michel Bruyer
Thank you for taking your time to report to us, Michel. Unfortunately, this report is not eligible for a reward, as you seem to misunderstand how the web works and who is allowed to access what at which time. The element inspection works only for you, with the password auto-filled into the input field. The ***** masking is to prevent people walking by looking at your password. It is not meant to protect against local computer access. I'm afraid Bugzilla is not the right forum to give an exhaustive introduction or explanation of computer security, so we'll have to stop here.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → INVALID
Hmmm, Qoute"the ****** masking is to prevent people walking by looking at your password" so...... talking about security here right! Qoute"it is not meant to protect against local computer access" ???? so the ******** are not meant to protect local computer access. What a contradiction in two sentences in the same context. pfff Well Lets hope not many people will use public computers anymore then, cause once logged in at a public computer or someone eles computer means and equals a password vurnability for those persons who use them. Well you'll better inform firefox and chrome ( yep chrome also )users not to use these browers on public computers then, or even other computers for that matter. Element inspection only works for me? Really??? That's your answer?!! You cant think " this one" out of the box? I'll gues you are right and we'll have to stop here. Kind Regards
Please keep comments respectful. Freddy is correct as to the scope of the feature. It is functioning as designed and this is not a valid security problem.
Hence , the reason why security is what it is our days. If a feature scope is a reason to DEFINE a problem as being " not a problem ", so be it. The not existing problem (for almost a decade)is SOLVED. The solution has found it's way already. Good Luck
Component: Untriaged → General
Product: Firefox → Invalid Bugs
Version: 54 Branch → unspecified
You need to log in before you can comment on or make changes to this bug.