On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcam...@coredump.cx>wrote:
> > For the last 10+ years, password inputs have been accessible from > scripts, > > with nary a complaint. If I have this code: > > Unfortunately, the problem is not that easy to fix: denying access to > the field does not prevent the attacker from changing the form > submission URL after autocompletion to achieve the same... Or even simpler, changing the type attribute to something like "hidden" for an instant. I hate it when I don't think things through. -- "The first step in confirming there is a bug in someone else's work is confirming there are no bugs in your own." -- Alexander J. Vincent, June 30, 2001
