Auto-filled passwords are visible in plain text if the input type of the text box is changed using dev tools.
Reported by
kir...@gmail.com,
Sep 21
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Steps to reproduce the problem: 1. Log in to a website and choose to have Chrome save your username and password. 2. Log out (or otherwise get back to login page). Chrome should auto-fill the username and password at this point. 3. Inspect the password textbox using dev tools and change the type from "password" to "text". 4. The saved password is now visible in plain text. What is the expected behavior? The saved passwords shouldn't be visible in plain text anywhere without first entering some kind of master password (either the user's google account password or the PC user's password). What went wrong? Chrome should either respect the autocomplete element (thus allowing developers to choose whether passwords can be saved) or not allow any auto-filled password fields to be modified via the dev tools. Did this work before? No Chrome version: 68.0.3440.106 Channel: stable OS Version: 10.0 Flash Version:
,
Sep 23
,
Sep 24
This is how autofill works. Chrome reveals the password to the page after the user interacts with it. We have plans to support the mode when the credential is filled only after user manually selects it. |
|||
►
Sign in to add a comment |
|||
Comment 1 by alph@chromium.org
, Sep 21