Issue metadata
Sign in to add a comment
|
Able to unmask saved password
Reported by
daniel.c...@gmail.com,
Jul 4 2016
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce the problem: 1. Go to https://my.lookout.com/user/login 2. Make sure you have your username and password saved in Chrome 3. Check the box "Show" and it will unmask your saved password What is the expected behavior? Should stay masked. Otherwise an unauthorized user could get a saved password in clear text. What went wrong? Should not be able to unmask a saved password. Did this work before? N/A Chrome version: 51.0.2704.103 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 22.0 r0 Not sure what call they are using on their site to show the password. But Chrome should know if that password field was auto-filled vs a user typing it in.
,
Jul 4 2016
Please see the Chrome Security FAQ: https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools- https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-
,
Oct 11 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by daniel.c...@gmail.com
, Jul 4 201616.6 KB
16.6 KB View Download