Upon submission of a login form, passwords are exposed in plain in the "Request" tab of the Network Monitor in Dev Tools.
An example from logging in to NameCheap:
Physical access required, so consider workplace harassment, disgruntled employee, abusive partner, etc.
- 1. When person is away, sneak over and log out of their account you want access to.
2. Open the network inspector in a background window, tick "persist logs".
3. They come back, log in again, then later you can grab their credentials from the network inspector.
I mean, rule #1 of security is no plain text passwords.
This "security flaw" (as i see it) allows any tech-savvy person to relatively easily see passwords.
So, in the same way Firefox visually hides a "password" text field from observation, shouldn't the Network inspector do the same, instead of revealing the text?
ed: seems Chrome does this as well!
This strikes me as totally bizarre.