New issue
Advanced search Search tips

Issue 751030 link

Starred by 2 users
Status: Duplicate
Merged: issue 126398
Owner: ----
Closed: Aug 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: input type="password" change to type="text" reveals input content

Reported by ton4o123...@gmail.com, Aug 1 2017 
VULNERABILITY DETAILS
When i change password input type from inspector to text the input content inside is revealed. This gets worse if auto-fill is on. We can read this input value from inspector console also via some javascript.

VERSION
Chrome Version: Version 60.0.3112.78 (Official Build) (64-bit)
Operating System: OS X 10.11.6

REPRODUCTION CASE
Attached gif reveals the issue at hand.

SUGGESTED FIX
Reset/Delete input data on type change.

Comment 1 by ton4o123...@gmail.com, Aug 1 2017 

product-security@apple.com said
"After examining your report we do not see any actual security implications."

webkit community said
"I think it might be impractical to make the passwords “secure” in this particular sense"

I strongly dissagree.

Comment 2 by elawrence@chromium.org, Aug 1 2017

Mergedinto: 126398
Status: Duplicate (was: Unconfirmed)
Indeed, this is the most commonly-reported misunderstanding of the browser security model.

If an attacker has unrestricted access to your computer, they can retrieve the data on it. See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools for discussion.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 7 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment