SSO Login screen reveals password

sterretje · May 29, 2017, 1:10pm

I just reported it on github: SSO Login screen reveals password

This might be a browser bug, I don't know.

Arduino forum login form (Arduino Profile.......)

Type the first character of your password; as a proper password field, it shows *.
Click the little eye at the right of that field
Type the next character (does not have to be correct). Use backspace and a dropdown shows which reveals the complete password.

Tested on
Win7 64 bit with Firefox 53.0.3 (32 bit)
Android 6.0.0 with Chrome 58.0.3029.83

Ballscrewbob · May 29, 2017, 1:48pm

Hmm got "logged out" as I pressed post so trying this again.

Looking like a couple of minor glitches in FF since it updated but not seeing any issues in win 7 x 64 and Chrome for this one.

pert · May 29, 2017, 2:01pm

I can reproduce on both firefox and chrome:

Sign out
Go to the Sign in page.
Type a character in the password input field to make the eye icon appear.
Click the eye icon on the password input to turn password obfuscation off (signified by eye with line through it).
Sign in. This will put the password in your autocomplete history.
Sign off
Go to the Sign in page.
Type any character in the password input field to make the eye icon appear.
Click the eye icon on the password input to turn password obfuscation off (signified by eye with line through it).
Delete the character you entered in the password input field.
Press the down arrow on your keyboard. A dropdown appears with the password you entered on the first login.

They need to set the autocomplete attribute for the password input to off. I saw that once before on the credit card input on an online store coded by an amateur but this is the first I've seen it on a password input.

Ballscrewbob · May 29, 2017, 2:04pm

Hi Pert your instructions are a little better than the GIT ones.

Will re-try

EDIT...
With your instruction I can confirm in Chrome that I can now see the PW.
Suggest update the GIT issue instructions with your version.

sterretje · May 29, 2017, 3:07pm

ballscrewbob:
Hi Pert your instructions are a little better than the GIT ones.

Sorry for my poor description. But i don't have to click login to see it

Ballscrewbob · May 29, 2017, 3:22pm

LOL me neither...Have to deliberately sign out, clear cache etc. etc.

Good catch though on your part ! 2TU

pert · May 29, 2017, 6:06pm

sterretje:
i don't have to click login to see it

Just curious, what do you mean by that?

sterretje · May 29, 2017, 6:23pm

pert:
Just curious, what do you mean by that?

I don't need to click sign in to see my password.

Type the first character of your password.
Click the eye.
Type another character.
Press backspace.

Voila, there is your password.

pert · May 29, 2017, 6:35pm

You need to do one login with password obfuscation turned off in order for the password to be recorded in the browser's autocomplete history. If you have only ever logged in with password obfuscation on then the issue doesn't occur because the browser doesn't store the password in the autocomplete history when it's obfuscated. After that first time logging in with password obfuscation turned off it's in the history and you can reproduce the issue by only following the second half of my instructions from then onwards, it is not necessary to repeat the first part of the instructions every time.

I believe this was the reason that ballscrewbob was unable to reproduce the issue at first as I had that problem trying to reproduce it.

sterretje · May 29, 2017, 7:08pm

Ah, thanks for that explanation.

system · May 6, 2021, 12:17pm