Kevin Rose's latest project, Pownce, has a glaring security problem on its front page. The JavaScript that Pownce uses in its login form can reveal your password in plain text on the screen. Here are the steps to reproduce the problem in Firefox:

1. Login to Pownce via http://www.pownce.com/. Allow Firefox to save your login information for next time, and then log out.

   

2. Navigate to http://www.pownce.com/ and type the first part of your username in the "Enter username..." box. Firefox will supply all of the matching usernames it remembers for this site. (So far, so good.)

   

3. Select your username and press return to have the browser autofill the rest of your information. Oh look, there's your Pownce password in plain view! I hope no one in the room was watching you login...

   

The method that Pownce is using to show the "Enter password..." prompt in the password field is the reason for this malfunction; browsers force all text in password fields to be hidden with asterisks, so if you want to show normal text in a password field like Pownce has chosen to, you have to do so in a non-standard way.

This bug affects Firefox and Netscape users who have JavaScript enabled, but it doesn't affect Safari users.

This entry was posted on Sunday, July 8th, 2007 at 12:29 am and is tagged with JavaScript, Kevin Rose, Leah Culver, Mozilla Firefox, Netscape Navigator, Pownce, Safari, Web 2.0, Web Applications. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.