On Sun, Jul 10, 2011 at 3:44 AM, Alex Vincent <ajvinc...@gmail.com> wrote: > On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcam...@coredump.cx>wrote: >> > For the last 10+ years, password inputs have been accessible from >> scripts, >> > with nary a complaint. If I have this code: >> >> Unfortunately, the problem is not that easy to fix: denying access to >> the field does not prevent the attacker from changing the form >> submission URL after autocompletion to achieve the same... > > > Or even simpler, changing the type attribute to something like "hidden" for > an instant. > > I hate it when I don't think things through.
To be fair, we already protect <input type=file> from vaguely similar type-changing attacks. (You can't make an <input type=text>, fill it with a filename as the value, then switch to type=file and submit it to steal files from the user.) However, as noted, doing this wouldn't help in any way. The script can redirect the form submission, or just swap out the input entirely for an <input type=text> that they manually intercept clicks on and insert * for each keypress (or more deviously, set the font-family for the text input to a font where every glyph is an asterisk, and then just read out the value normally). ~TJ