531238 - Password can be seen in cleartext in login pages

Status: VERIFIED DUPLICATE of bug 530367

(Firefox for Android Graveyard :: General, defect)

Description

[Tero Turtiainen]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4
Build Identifier: 

It is possible to see passwords in login pages in cleartext when the changes from bug 514212 are in use in Fennec in N900.

Reproducible: Always

Steps to Reproduce:
1. Borrow friends N900 with Fennec installed.
2. Go to some page where you know your friend has used the password manager to save username and password. For example www.gmail.com
3. When the page is loaded the username and password fields are auto filled by password manager.
Actual Results:  
When the page has loaded the password is briefly seen in clear text before it is replaced by asterisks. So you are able to write down your friends username and password on a piece of paper and go to your workstation and login using your friends credentiels. If you couldn't get all the characters of the password while the page was loaded, you can have another look at the password (at least in gmail login page) by first focusing on the username field and then focusing on the password field. When focus goes to password field, the whole password is again shown in cleartext.

Expected Results:  
The password cannot be seen in clear text.

This was reproducible always on N900 using fennec_1.0b6pre_armel.deb from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mobile-trunk/ dated 25-Nov-2009 01:59. Sorry I don't have better version information.

You could argue that when the physical security is gone, all hope is lost, but showing your devices to your friend is quite common use case that should not allow easy password snooping.

Comment 2

[Aakash Desai [:aakashd]]

dupe v.