Created attachment 825268 [details] Unmask PWD.JPG User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131025151332 Steps to reproduce: Steps to reproduce the vulnerability: 1. In Firefox 24.0, User 1 opened Gmail/Login page, https://accounts.google.com. 2. Enter valid email and password (ensure password is masked) 3. without clicking on 'Login' button, User1 went away for coffee. 4. User2 got an access of user1 pc with gmail/facebook credentials entered in step2. 5. User2 clicks inside password field and right click -> Inspect Element option. 6. Observe that user can see Inspector console window at the bottom of browser with password html tag selected - <input id="Passwd" class="" type="password" placeholder="Password" name="Passwd"></input>. 7. User 2 edited above tag's type value as "text" in place of password and enter i.e. changed to <input id="Passwd" class="" type="text" placeholder="Password" name="Passwd"></input>. 8. Observe that the password field value is shown in password field as normal text (password unmasked) that means user2 hijacked password of user1. Actual results: User can unmask the masked password entered (with asterisks or dots) using Firefox inspector window for all the top sites like facebook, gmail,live login page. Expected results: Browser should not give access to edit important html tags properties using inspector window which results in password steal.
Well-known: this is how web password fields work, and there are many ways to accomplish this including using JS from the console or even a JS bookmarklet.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
Benjamin, but this behavior making other users to see their passwords easily in all sites like facebook, gmail, paypal etc, Don't it be serious threat. Can't ir be fixed ?
Duplicate of this bug: 988159
Duplicate of this bug: 1016319
HI Benjamin/Curtis/YF, My Tickets are marked as duplicate of this BUG... thats ok with me.. But should this be considered as a fix that should be added in any further releases please.. Its a real threat specially considering a situation of an Internet Cafe where in a single PC is being share by multiple people... kindly let me know your thoughts... Regards Amith K
You need to log in before you can comment on or make changes to this bug.