Bug 1361985 (CVE-2016-5260) - CVE-2016-5260 Mozilla: Form input type change from password to text can store plain text password in session restore file (MFSA 2016-74)
Summary: CVE-2016-5260 Mozilla: Form input type change from password to text can store...
Alias: CVE-2016-5260
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1360577
TreeView+ depends on / blocked
Reported: 2016-08-01 06:32 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 03:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-08-03 04:58:48 UTC

Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2016-08-01 06:32:28 UTC
Mozilla employee Mike Kaply reported that the Firefox session restore data can contain passwords in plain text if a password input field on a page has its type changed from "password" to "text" during a session. This can occur if the password input field has a scripted mechanism to display the password to the user. Once this type is changed, the password data will persist as clear text within stored form data for this page. This could result in a potential revelation of site passwords on sites that use this mechanism to display password data if an attacker could find a way to read the session restoration file. 

External Reference:



Name: the Mozilla project
Upstream: Mike Kaply


This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.