Issue 752957 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 126398
Owner:	----
Closed:	Aug 2017
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: viewing autofill hidden passwords

Reported by mtaffel...@gmail.com, Aug 7 2017

Issue description

VULNERABILITY DETAILS
When using Chrome's autofill feature for password logins the password can be 
seen by anyone if they use dev tools (inspect) to change: input type="password"
to something else, for example input type="anything".

VERSION
Chrome Version: 60.0.3112.90 (Official Build) (64-bit)
Operating System: Windows 10

REPRODUCTION CASE
1) Go to a sign in page that has a hidden password autofilled out.
2) inspect the password field 
<input type="password" id="ap_password" name="password" tabindex="2" class="a-input-text a-span12 auth-autofocus auth-required-field">

3) change the type from "password" to something else
4) you will now be able to see the password. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
N\A

Comment 1 by elawrence@chromium.org, Aug 7 2017

Mergedinto: 126398
Status: Duplicate (was: Unconfirmed)

Thanks for the note. This is in fact the most commonly-reported misunderstanding of the browser security model. Please see 

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools

Project Member

Comment 2 by sheriffbot@chromium.org, Nov 14 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 752957 link

Issue metadata

Security: viewing autofill hidden passwords

Issue description

Comment 1 by elawrence@chromium.org, Aug 7 2017

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Nov 14 2017

Comment 2 Deleted

Sign in to add a comment