you can get any password for any account if you had the machine or stealed the session
Reported by
sir.amr....@gmail.com,
Oct 10 2017
|
|||
Issue description
Chrome Version : <Copy from: 'any version'>
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari: PASS/FAIL (OK)
Firefox: PASS/FAIL (Ok)
IE: PASS/FAIL (OK)
What steps will reproduce the problem?
(1)if user used option of save password open any page like Facebook or Gmail
(2) remove attribute password from password text box
<another way to use a bug >
(1) Copy the form of any login page ( password text box and username text box)
(2) inject this HTML in browser while the user is logged in and try the above two steps
What is the expected result?
the password must be not visible for any one
What happens instead?
the password will appear normally
Please provide any additional information below. Attach a screenshot if
possible. Kindly Find Attached Videos
For graphics-related bugs, please copy/paste the contents of the about:gpu
page at the end of this report.
,
Oct 12 2017
Able to reproduce this issue on latest stable 61.0.3163.100 and latest canary 63.0.3238.0 using Windows 10,Ubuntu 14.04 and Mac 10.12.6. Same behaviour is seen from M-59(59.0.3071.0), from the introduction password being saved in settings page Hence considering this issue as Non-regression and marking this as Untriaged
,
Oct 13 2017
See here: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools- |
|||
►
Sign in to add a comment |
|||
Comment 1 by nyerramilli@chromium.org
, Oct 10 2017