Password displayed as plain text in HTTP Fox add on window




6 years ago
6 years ago


(Reporter: Subramanian Palaniappan, Unassigned)


9 Branch
Windows XP

Firefox Tracking Flags

(Not tracked)



(1 attachment)



6 years ago
Created attachment 590259 [details]

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Build ID: 20111220165912

Steps to reproduce:

1. I installed HTTP Fox and let the Http Fox run in a separate window. 
2. I tried to login to yahoo website.
3. I just supplied dummy user name and password as i expected my password might show as plain readable text. 

Actual results:

1. It displayed my user name and password in the http fox POST DATA window.
2. I also verified with few other websites that shows their passwords.

Expected results:

1. Though the httpfox add on is much helpful for the developers to tracer their online data, there is a potential risk of capturing other's passwords without the user's knowledge. Especially in the public web browsing places (web cafes in india is very common), the common people who might now aware of these technologies can easily loose their data.

2. Instead of forcing other plugins to stop collecting these passwords, why not Firefox controls sending critical data which can not be capture even by the add on developers?

Please consider this and have a look at the attached picture. 
If you would like to know more about the issue and the sites which i tried with this.. please reply me, i can send more details. 

[removing: Security Sensative Core Bug]
This is not a security flaw with the product and this is a known type of attack. Credentials should not be passed over HTTP but that is outside the control of the browser. We have seen this before in things like FireSheep.

Users should take care not to pass credentials over http connections. The add-on itself only looks at the local machine and not at the network, thus it does not capture information from other users or machines.
Group: core-security
Every Addon can do what it wants. Your report is comparable with "I installed a keylogger and I'm now surprised that this keylogger can log my passwords".
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.