All users were logged out of Bugzilla on October 13th, 2018
Created attachment 760043 [details] proof of concept User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Iceweasel/10.0.12 (Beta/Release) Build ID: 20130303204535 Steps to reproduce: Opened attached web page, searched for any text. Actual results: Web page was able, via repeatedly checking text selection and updating text, to figure out what I typed in the search box. (With some more work the page can actually add the searched text to the list of passwords, so that the search is less suspicious.) If I had been searching for my password the page could have uploaded it somewhere. Expected results: In some browsers -- e.g. Chrome -- searched text selection is not visible to the web page until the search box is closed. I don't know if this is the right thing to do, but this sort of situation should at least be considered -- as a user I typically expect that what I type in the search box is somewhat secret.
Attachment #760043 - Attachment mime type: text/plain → text/html
Marking NEW as this reproduces on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130607 Firefox/24.0 ID:20130607031055 CSet: dc8e78ed8c44
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Version: 10 Branch → Trunk
You need to log in before you can comment on or make changes to this bug.