Bug 11166
| Summary: | An accessible app can fetch password as plain text from site | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Håkan Waara <hwaara> |
| Component: | Accessibility | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ap |
| Priority: | P2 | ||
| Version: | 419.x | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
Håkan Waara
I just noticed using the Accessibility Inspector, that password textfields expose their contents.
Any app that is run could fetch the accessibility hierarchy of Safari, and get the contents of such a password field (even if the text is written out as bullets).
Steps to reproduce:
1. Go to gmail.com
2. Fill out the password field
3. Launch Accessibility Inspector.app and point at the password field. See the AXValue field to see your password in plain text.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
mitz
Fixed in r17083 (<rdar://problem/4770453> VO not honoring secure edit fields in web pages).