Pownce has a big security problem

Kevin Rose’s latest project, Pownce, has a glaring security problem on its front page. The JavaScript that Pownce uses in its login form can reveal your password in plain text on the screen. Here are the steps to reproduce the problem in Firefox: Login to Pownce via http://www.pownce.com/. Allow Firefox to save your login information [...]

Kevin Rose’s latest project, Pownce, has a glaring security problem on its front page. The JavaScript that Pownce uses in its login form can reveal your password in plain text on the screen. Here are the steps to reproduce the problem in Firefox:

1. Login to Pownce via http://www.pownce.com/. Allow Firefox to save your login information for next time, and then log out.

   

2. Navigate to http://www.pownce.com/ and type the first part of your username in the “Enter username…” box. Firefox will supply all of the matching usernames it remembers for this site. (So far, so good.)

   

3. Select your username and press return to have the browser autofill the rest of your information. Oh look, there’s your Pownce password in plain view! I hope no one in the room was watching you login…

   

The method that Pownce is using to show the “Enter password…” prompt in the password field is the reason for this malfunction; browsers force all text in password fields to be hidden with asterisks, so if you want to show normal text in a password field like Pownce has chosen to, you have to do so in a non-standard way.

This bug affects Firefox and Netscape users who have JavaScript enabled, but it doesn’t affect Safari users.