Firefox Inspector window is used to un-mask entered password in all top sites.




5 years ago
11 months ago


(Reporter: jain.sumith, Unassigned)


24 Branch
Windows 7

Firefox Tracking Flags

(Not tracked)



(1 attachment)



5 years ago
Created attachment 825268 [details]
Unmask PWD.JPG

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131025151332

Steps to reproduce:

Steps to reproduce the vulnerability:

1. In Firefox 24.0, User 1 opened Gmail/Login page,

2.  Enter valid email and password (ensure password is masked)

3. without clicking on 'Login' button, User1 went away for coffee.

4. User2 got an access of user1 pc with gmail/facebook credentials entered in step2.

5. User2 clicks inside password field and right click -> Inspect Element option.

6. Observe that user can see Inspector console window at the bottom of browser with password html tag selected - <input id="Passwd" class="" type="password" placeholder="Password" name="Passwd"></input>.

7. User 2 edited above tag's type value as "text" in place of password and enter i.e. changed to <input id="Passwd" class="" type="text" placeholder="Password" name="Passwd"></input>.

8. Observe that the password field value is shown in password field as normal text (password unmasked) that means user2 hijacked password of user1.

Actual results:

User can unmask the masked password entered (with asterisks or dots) using Firefox inspector window for all the top sites like facebook, gmail,live login page.

Expected results:

Browser should not give access to edit important html tags properties using inspector window which results in password steal.

Comment 1

5 years ago
Well-known: this is how web password fields work, and there are many ways to accomplish this including using JS from the console or even a JS bookmarklet.
Group: core-security
Last Resolved: 5 years ago
Resolution: --- → WONTFIX

Comment 2

5 years ago
Benjamin, but this behavior making other users to see their passwords easily in all sites like facebook, gmail, paypal etc, Don't it be serious threat. Can't ir be fixed ?


5 years ago
Duplicate of this bug: 970268
Duplicate of this bug: 970853
Duplicate of this bug: 988159


4 years ago
Duplicate of this bug: 1016335

Comment 8

4 years ago
HI Benjamin/Curtis/YF, 

 My Tickets are marked as duplicate of this BUG... thats ok with me.. But should this be considered as a fix that should be added in any further releases please.. Its a real threat specially considering a situation of an Internet Cafe where in a single PC is being share by multiple people... 

 kindly let me know your thoughts...

Amith K
Duplicate of this bug: 1268250
Duplicate of this bug: 1268760
Duplicate of this bug: 1301866
Duplicate of this bug: 1303854
Duplicate of this bug: 1310915
Duplicate of this bug: 1317952
Duplicate of this bug: 1406840
You need to log in before you can comment on or make changes to this bug.