Email and password visibility after Ubmit (Facebook)

Asked

Viewed 57 times

0

I have a question about passwords. I decided to do an "experiment" to see the security of data sent by forms, and even using security protocol I noticed that it is literally possible READ AND SEE the password sent.

The browser sends everything in a clean way. Ignorant that I am with the security theme, I always thought the browser sent the data 'obfuscated' or encryption and reversal using SSL.

I used Facebook to test, in other words, you can find the login and password of an account that is open on a machine. I gave a printscreen on the console to illustrate the data found.

Naturally I hid some fields and changed the password
But the password displayed on the console is the same as my Facebook account

inserir a descrição da imagem aqui

Question

  • What can be done to avoid this sort of thing?
  • Security protocol doesn’t solve that kind of situation?
php security-guard cryptography certified ssl

  • how exactly did you take the test?

  • @Danielomine, I logged in and was redirected to the main page, and there on the console was the url POST login.php[...], only that.

  • rsrs.. imagined this. But this is normal. rsrs.. What you are seeing is the data that the browser has already received and decoded.

  • Even so, if received and sent, should not destroy to avoid this display? It is even easier to install a keylogger on the PC of the girlfriend rsrsrs. Outside the joke, anyone can have access to the information sent.

  • ?? but if you print it on the screen it will show up.. rsrsrs.. By the way, why is it showing up on the console.log? It will only show on the console if you have it printed on the console

  • I just opened the console, I didn’t give any command, this screen is from Facebook, it’s not localhost! So I opened the question.

  • It’s unclear how you did the test. Are you sure the facebook site is printing such data on the console? If you can describe better, example, this console is from which browser? what is this url login.php?lo.. ? You look like you’re messing with something that has nothing to do.

  • Take the test there, I used the FF. Logout, then open the console and log in, you will be redirected to the main page and the data will appear as in the image I pasted. Don’t print on the console like you do with console.log, only displays the data that was sent via POST.

  • Understood. This is not the responsibility of the https protocol. It is a feature that modern browsers provide natively, usually in "Developer tools > network". They are debugging tools for developers. To not display the data just stop recording the logs.

  • @Papacharlie really does happen, but this because the console analyzes what the browser is getting before it is submitted. Otherwise we wouldn’t be able to debug. In fact, this only becomes a problem if you have physical access to the machine and if you have access to that console at the time that person has logged in and left the machine, because as soon as the first refresh happens you lose this information. So I don’t see how that would be a problem. But of course, I could be wrong!

  • @Thomaslima, I kept the Facebook navigation with the console closed and when I opened there was the POST login.php?login_attempt=[...] with e-mail and password data...

  • @Did you surf Facebook only on your Internet or have you entered other profiles? Is this information in the correct console’s Network tab? This tab only shows the current requests. Do a test, log in to facebook, and after logging in, from F5. See if the information will still be there.

Show 7 more comments
No answers

Browser other questions tagged php security-guard cryptography certified ssl

You are not signed in. Login or sign up in order to post.