11166 – An accessible app can fetch password as plain text from site

RESOLVED FIXED 11166

An accessible app can fetch password as plain text from site

https://bugs.webkit.org/show_bug.cgi?id=11166

Summary An accessible app can fetch password as plain text from site

Håkan Waara

Reported 2006-10-05 06:51:29 PDT

I just noticed using the Accessibility Inspector, that password textfields expose their contents. Any app that is run could fetch the accessibility hierarchy of Safari, and get the contents of such a password field (even if the text is written out as bullets). Steps to reproduce: 1. Go to gmail.com 2. Fill out the password field 3. Launch Accessibility Inspector.app and point at the password field. See the AXValue field to see your password in plain text.

Attachments
Add attachment proposed patch, testcase, etc.

mitz

Comment 1 2006-12-17 09:22:52 PST

Fixed in r17083 (<rdar://problem/4770453> VO not honoring secure edit fields in web pages).

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 419.x

Hardware Mac

OS OS X 10.4

Product WebKit

Component Accessibility

Assignee

Nobody

Reported

2006-10-05 06:51 PDT

Modified

2006-12-17 09:22 PST History

CC List

1 user Show

URL

Keywords

Depends on

Blocks