11166 – An accessible app can fetch password as plain text from site

Bug 11166 - An accessible app can fetch password as plain text from site

Summary: An accessible app can fetch password as plain text from site

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	419.x
Hardware:	Mac OS X 10.4

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-10-05 06:51 PDT by Håkan Waara
Modified:	2006-12-17 09:22 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Håkan Waara 2006-10-05 06:51:29 PDT

I just noticed using the Accessibility Inspector, that password textfields expose their contents. 

Any app that is run could fetch the accessibility hierarchy of Safari, and get the contents of such a password field (even if the text is written out as bullets).

Steps to reproduce:

1. Go to gmail.com
2. Fill out the password field
3. Launch Accessibility Inspector.app and point at the password field. See the AXValue field to see your password in plain text.

Comment 1 mitz 2006-12-17 09:22:52 PST

Fixed in r17083 (<rdar://problem/4770453> VO not honoring secure edit fields in web pages).