Bug 35724

Summary: password box is not completly secure. (mixmail.ya.com)
Product: [Applications] konqueror Reporter: sepspv
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: grave CC: luigiwalser, misc2006, zander
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: RedHat Enterprise Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description sepspv 2001-12-04 04:45:40 UTC
(*** This bug was imported into bugs.kde.org ***)

Package:           konqueror
Version:           KDE 2.2.1 
Severity:          normal
Installed from:    RedHat RPMs
Compiler:          Not Specified
OS:                Linux
OS/Compiler notes: Not Specified

in mixmail.ya.com when i login and push the back button in konqueror the text in the password fiels apears in the username field.
this is a security problem.
Bye.

(Submitted via bugs.kde.org)
Comment 1 Daniel Naber 2002-09-20 15:32:32 UTC
well, you cannot copy+paste the password but it could indeed be later used by 
someone else. i don't consider this a real problem, but i set it to "grave" as 
a "potential security problem". 
Comment 2 Dirk Mueller 2002-09-22 02:35:01 UTC
hmm, any example login I could use for testing ? Daniel, you created one 
right? 
 
 
Comment 3 Daniel Naber 2002-09-22 03:23:51 UTC
Subject: Re:  password box is not completly secure. (mixmail.ya.com)

On Sunday 22 September 2002 02:35, you wrote:

> ------- hmm, any example login I could use for testing ? Daniel, you
> created one right?

e.g. here:
http://www.danielnaber.de/tmp/konqueror.php

type password, submit, go back: password still there (the form goes to 
itself when you submit, but that's not relevant)

Comment 4 Dirk Mueller 2002-09-22 07:20:35 UTC
*** Bug has been marked as fixed ***.
Comment 5 Thomas Zander 2002-10-24 15:37:04 UTC
I see this bug-fix as a mis-feature. It only brings a false sense of security.
If only since 
session cookies are still available. Now; if you empty the password field when a
cookie 
that is set as a result of that form is expired; then it makes sense. Now its
just annoying 
and does not add any security. 
 
Closing konqueror is the only way you can be 'secure' in this matter, and its
not that big 
a problem since starting it again takes minimal time. 
 
I recently convinced a number of former IE users to switch to konqueror so they
could  
get around this bad feature :(  This just to say I'm definitely not the only one
who 
has a problem with this. 
 
Anyway; please consider un-fixing this non-problem. Its bad from a usability
point of view 
and not a security fix at all. 
Comment 6 David Walser 2002-11-02 07:10:53 UTC
Thomas is right.  I can see why this was contrived as a security fix, but it's not.  
  
Consider Yahoo! Mail.  It has a feature where it just automatically logs you out after a  
certain amount of time.  It's annoying, but it is a security feature, because if you leave  
yourself logged in in a public place (and I mean even closed the browser, but had told   
it to remember you), someone can only abuse it for a limited time w/out your password.  
  
Now, just as a user, it's annoying, and it's nice to be able to go back to the login  
screen and hit login again.   If you didn't want someone else to be able to do that you 
would have just closed the browser window. 
 
This wasn't a security fix, more just an annoyance.  It should be reverted.