Bug 6966 – Passwords not being hashed out upon entry

Bug 6966 - Passwords not being hashed out upon entry


Summary:	Passwords not being hashed out upon entry

Status:	RESOLVED DUPLICATE of bug 6598

Product:	Browser
Component:	MicroB engine
Version:	5.0/(1.2009.42-11)
Platform:	N900 Maemo

Importance:	Low normal (vote)
Target Milestone:	---
Assigned To:	unassigned
QA Contact:	browser-other-plugin-bugs

URL:	https://olb2.nationet.com/
Keywords:	security

Depends on:
Blocks:
	Show dependency tree

Reported:	2009-12-14 21:04 UTC by Paul
Modified:	2010-02-04 04:17 UTC (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description Paul (reporter) 2009-12-14 21:04:49 UTC

SOFTWARE VERSION:1.2009.42-11.203.2
(Settings > General > About product)

EXACT STEPS LEADING TO PROBLEM: 
(Explain in detail what you do (e.g. tap on OK) and what you see (e.g. message
Connection Failed appears))
1. when entering a password or number from drop down boxes, ie for online
banking, the numbers entered are not being hashed out and can still see them. 
The purpose of using a drop down down is to stop key logging.
2. 
3. 

EXPECTED OUTCOME:
pass words/numbers should be hashed out
ACTUAL OUTCOME:
not hashed out
REPRODUCIBILITY:
(always, less than 1/10, 5/10, 9/10)

EXTRA SOFTWARE INSTALLED:

OTHER COMMENTS:
check out an on line bank login page such as nationwide.co.uk.  I believe this
is a high security risk issue which needs attention urgently.

User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; GTB6.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; MDDC)

Comment 1 Lucas Maneos 2009-12-15 15:48:42 UTC

Confirmed.  I'm not sure it's microb's problem as the page doesn't even
validate, but it works as the reporter expects in Firefox 3.5.

Comment 2 Neil MacLeod maemo.org

2009-12-15 16:02:13 UTC

(In reply to comment #0)
> EXPECTED OUTCOME:
> pass words/numbers should be hashed out
> ACTUAL OUTCOME:
> not hashed out

Some security researchers are beginning to question the usefulness of password
masking. Just for the debate:

1. http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html
2. http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html

Comment 3 Andre Klapper maemo.org

2010-02-03 19:35:33 UTC

So it turns out that this is the same issue as bug 6598, hence marking as
duplicate.

*** This bug has been marked as a duplicate of bug 6598 ***

Comment 4 tuukka.tolvanen nokia

2010-02-04 04:17:40 UTC

Not actually related to bug 6598 afaict, but rather custom script stuff from 
https://olb2.nationet.com/signon/javascript/addDDLbehaviour.js

The numbers selected in the dropdowns change to * when the dropdown loses focus
on tapping somewhere else (browser ~2010.05) which is slightly later than on
desktop, but fulfills the apparent goal of showing at most one secret character
at once. (There's visibility during selection either way.)