Avoid showing password as a plain text under Form Data in Network Tab
Reported by
vinay.s.banakar@gmail.com,
Jul 5
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Steps to reproduce the problem: 1. Go to https://github.com/login (or any website) 2. Open DevTools and switch to Network tab 3. Login with credentials, a post call to the server. 4. Look at the request's "Form Data" in the "Headers" tab. What is the expected behavior? The expected behavior should be, if the field of the type password is present in the request body, then it must be obfuscated or hidden found under "Form Data" section in Headers Tab. What went wrong? if the POST body has a field of type password, then do not show it in plain text under Form Data section, this is a security issue. DevTools should offer a checkbox or a prompt to the user if he likes to view the password as plain text. Did this work before? No Chrome version: <Copy from: 'Version 67.0.3396.99 (Official Build) (64-bit)' Channel: stable OS Version: 10.0 Flash Version: 30.0.0.113
,
Jul 5
,
Jul 6
Thanks for filing the issue! From comment#0 it is understood that the issue seems to be a feature request rather than a bug, hence adding appropriate component and marking it as Untriaged. Requesting someone from respective team to have a look into this issue and help in further triaging.
,
Jul 9
All cookies are visible in plain text. and you can select any password field and type $0.value in the console. If an attacker has access to open devtools on your machine, you're definitely already compromised. We do not consider this a security issue.
,
Jul 9
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by vinay.s.banakar@gmail.com
, Jul 5