New issue
Advanced search Search tips

Issue 754622 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

password text is not cleared when input type is changed

Reported by ekwmeil...@gmail.com, Aug 11 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Steps to reproduce the problem:
1. Enter password in a password field 
2. Inspect and change input type from password to text
3. The text field contains the password.

What is the expected behavior?
The input field text should be cleared. See: Changing the type of an <input type=password> throws a security error in some browsers (old IE and Firefox versions). (https://stackoverflow.com/questions/9093992/change-html-input-type-by-js)

What went wrong?
If a user saved his password on the pc, it's easy to look at what it is after changing the type from password to text.

Did this work before? N/A 

Chrome version: 60.0.3112.90  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by kenrb@chromium.org, Aug 11 2017

Status: WontFix (was: Unconfirmed)
Thanks for the report.

This scenario is mentioned in the Chrome Security FAQ, along with the reason why we don't consider this a bug.

"The reason the password is masked is only to prevent disclosure via “shoulder-surfing” (i.e. the passive viewing of your screen by nearby persons), not because it is a secret unknown to the browser. The browser knows the password at many layers, including JavaScript, developer tools, process memory, and so on. When you are physically local to the computer, and only when you are physically local to the computer, there are, and always will be, tools for extracting the password from any of these places."
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 18 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment