581795 - Problem with password input fields in all pages

Status: RESOLVED WONTFIX

(Firefox :: Security, defect)

Description

[deandres.alfonso]

User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Creative AutoUpdate v1.40.01)
Build Identifier: 

If you are in a page that requires password (like gmail, facebook), it's too easy read the page code and look for the password input id on page. If one user has typed the password (showed with asterisk) and left a moment the computer or one user has activated the remember password option and the password is ahowed automatic, you can type in the URL address bar the next sentence and obtain the password without mask:

javascript:alert(document.getElementById("PASSID").value);
PASSID is the id in the page code of that page

It's too easy but very dangerous.

Reproducible: Always

Steps to Reproduce:
1.Go to any page with password field
2.View page code and obtain the password field id
3.Type any password in the password field of the page
4.Type in the url address bar the next sentence:
javascript:alert(document.getElementById("PasswordID").value);
5.Here is, javascript:alert(document.getElementById("Passwd").value);!!!
Actual Results:  
Alert box with the password not masked

Expected Results:  
No javascript allowed in URL ADDRESS BAR

Comment 1

[Benjamin Smedberg]

It's data stored on your computer. There are many ways to get this data; we do want to implement bug 305692 to protect *you* from phishing-style attacks, but the real solution to this bug is for you to lock your computer screen.