New issue
Advanced search Search tips

Issue 770662 link

Starred by 1 user
Status: Duplicate
Merged: issue 126398
Owner: ----
Closed: Oct 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

in chrome saved passwords can be shown by changing input type from password to text

Reported by b...@dolphiq.nl, Oct 2 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. go to a website that you saved a password for
2. inspect the password element
3. change type='password' to type='test'
4. now you can see the saved password

What is the expected behavior?
when a input is changed from password to text the field should be empty

What went wrong?
if you save a password in chrome it gets stored in a password safe. when a user goos to a website that has a saved password it will fill in the login form. if you want to know the password you only have to inspect the password field and change the type from password to text. now the password id visible.

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: stable
OS Version: OS X 10.12.6
Flash Version:

Comment 1 by elawrence@chromium.org, Oct 2 2017

Components: UI>Browser>Passwords
Mergedinto: 126398
Status: Duplicate (was: Unconfirmed)
Yes, the ability of a user to unmask their own password is well-known and not a security vulnerability.

From the FAQ: 
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 8 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment