Able to see the characters of Password in Developer Tool.
Reported by
renju1ku...@gmail.com,
Jun 14 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce the problem: 1. Open Chromium browser and turn ON the F12 Developer tool of browser. 2. Go to Network tab in F12 Developer tool and enable the 'Preserve log' checkbox. 3. Minimize the F12 Developer tool. 4. Ask your friend/anyone to login to Facebook via the Chromium browser where the F12 developer tool is minimized. 5. Let your friend to do a login and once login, tell him to logout his session. 6. Now open the F12 developer tool which you minimized earlier. 7. Come to Network tab, and take a look on the below php call for login. https://www.facebook.com/login.php?login_attempt=1&lwv=120&lwc=1348060 8. Now go to the Header sub tab of the same login php call. 9. Take a look on the Form Data with view source option on right hand side of F12 window . 10. There you can see your Friends password as pass: <Password of your friend will be displayed here> This scenario is a serious and very high priority security vulnerability issue which I feel. Myself Renju Pappy Kunjumon, I am working as a Software developer in Oracle India Pvt. Ltd in Bangalore, India location. What is the expected behavior? Expected behavior should be either of follows. 1. Mask the characters of Password field in Form data of F12 Developer Tool. 2. Do not show the password field data in F12 Developer Tool. What went wrong? The point here I reported is having below impacts. 1. I can see my user id and password without any encryption which its not supposed to be. This is a very critical and sensitive security violation. 2. I can hack any other user id and password with the current implementation in client side code of websites. 3. Password field in User Interface of websites is a text hiding one which I agree. But I can know the exact user id and password in the server call for login validation which it is not supposed to be and its a security vulnerability. Did this work before? N/A Chrome version: 58.0.3029.110 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: This scenario is a serious and very high priority security vulnerability issue which I feel. Facebook can file a case against Chromium/Google on this issue of exposing the password field to public. Myself Renju Pappy Kunjumon, I am working as a Software developer in Oracle India Pvt. Ltd in Bangalore, India location. Please feel free to discuss this security issue. You can reach me on +91 - 9746149306 or renju_kunjumon@yahoo.com
,
Jun 19 2017
@allada - do you know if this is intended behavior?
,
Jul 21 2017
Devtools is a developer tool, so yes passwords, cookies, cache, exc... Are present and recorded in devtools. If the site owner took care, they could hash the sensitive data and send it hashed. Cookie information after the user logs in, would also be a security flaw. This is intended behavior, but thanks for the bug! |
|||
►
Sign in to add a comment |
|||
Comment 1 by ranjitkan@chromium.org
, Jun 19 2017