If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Problem with password input fields in all pages

RESOLVED WONTFIX

Status

()

Firefox
Security
RESOLVED WONTFIX
7 years ago
7 years ago

People

(Reporter: deandres.alfonso, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Creative AutoUpdate v1.40.01)
Build Identifier: 

If you are in a page that requires password (like gmail, facebook), it's too easy read the page code and look for the password input id on page. If one user has typed the password (showed with asterisk) and left a moment the computer or one user has activated the remember password option and the password is ahowed automatic, you can type in the URL address bar the next sentence and obtain the password without mask:

javascript:alert(document.getElementById("PASSID").value);
PASSID is the id in the page code of that page

It's too easy but very dangerous.

Reproducible: Always

Steps to Reproduce:
1.Go to any page with password field
2.View page code and obtain the password field id
3.Type any password in the password field of the page
4.Type in the url address bar the next sentence:
javascript:alert(document.getElementById("PasswordID").value);
5.Here is, javascript:alert(document.getElementById("Passwd").value);!!!
Actual Results:  
Alert box with the password not masked

Expected Results:  
No javascript allowed in URL ADDRESS BAR

Comment 1

7 years ago
It's data stored on your computer. There are many ways to get this data; we do want to implement bug 305692 to protect *you* from phishing-style attacks, but the real solution to this bug is for you to lock your computer screen.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.