Submitted password value "●●●●●●●●●", not the actual password

[llcawthorne]

Describe the bug

I've enabled this on my login page which posts to a Java servlet on the backend. I can see that it is randomizing the name of the username and password fields successfully. I fill in the fields and submit then I trace what was sent to the server. The parameters are named correctly for their old names before randomization (j_username and j_password), and the j_username value is the username I typed. However, the password being submitted to the server is "●●●●●●●●●" (the fill characters that the plugin is using to hide the password) rather than the actual password, so authentication always fails. I don't see anything failing in the browser console, so I'm not sure why it isn't submitting what was entered for the password rather than the fill characters. It has the correct real password value displayed in debugMode.

Information

• OS: Windows 10
• Browser: Chrome Version 77.0.3865.90
• Extensions: Disabled extensions
• Version: latest version of plugin pulled from cdn, jQuery 1.11.1

[llcawthorne]

I also tried using this on another form in the same app. It is a changePassword page with currPw, oldPw, and newPw fields. I switched my validate() function from onSubmit on the form to a callback property of disableAutoFill call, and changed the body of the validate function to just alert(document.changePwd.newPw.value); (where changePwd is the form, and newPw is the field containing the new password). When the alert fires, it shows the value is ●●●●●●●●●. This appears to be the same way the value is being accessed in the checkForm example code, so I'm not sure why it is getting a value of the mask characters instead of the actual password value.

[llcawthorne]

I am able to recreate this in the latest version of Internet Explorer on my Windows 10 box also. The only difference is that the fill character shows up as "â—�" instead of "●", but it continues to pass fill characters to my callback function instead of the password entered.

[llcawthorne]

I tried with version 3.3.1 of jQuery also, and it still submitted ●●●●●●●●● for the password.

[Behseini]

Hi,
I just test this yesterday at Oct 10, 2019 and I am also having same issue on server side using PHP. I am getting ●●●●●●●●● when trying to dump $_POST['password']

I tried all of these

$('#form').disableAutoFill({
                           textToPassword:false, 
                           passwordField: '.password'
});

$('#form').disableAutoFill({
                           textToPassword:true, 
                           passwordField: '.password'
});

$('#form').disableAutoFill({
                           passwordField: '.password'
});

[watain666]

Same issue

[terrylinooo]

Do you see any error displayed on the console (Chrome developer tool)

[llcawthorne]

No. There are no errors in the developer console. I tried again to make sure, and everything is clear there. I can tell it's enabled, because the fill character changes and you see the letter momentarily before it is replaced with the fill character when disableAutoComplete() is enabled. I'm currently trying with a really simple validate function that just alerts with the value from the password box, and it is always showing the value as a series of the fill character rather than the actual password value. Previously when I submitted it to the server and traced what was passed via debugging, it was also a series of the fill characters. I'm currently loading disableAutoFill from the cdn, so it should be a good copy. https://cdn.jsdelivr.net/npm/disableautofill/src/jquery.disableAutoFill.min.js

Current validate function:

		function validate() {
			alert(document.forms[0].j_password.value);
			return false;
		}
	
		// disableAutoComplete called in body onload
		function disableAutoComplete() {
			// securityCheck is the id of the form
			jQuery('#securityCheck').disableAutoFill({
				callback: function() {
					return validate();
				}
			});
		}

[llcawthorne]

I can also interact with my field through the developer console. I can see that it has a class added to it of disabledAutoFillPassword and a random looking id. When I try to access the value, I just get a string of fill characters. "●●●●●●●●●". I guess that technically is the value, but I don't know how to get the actual password value so I can use it in any way, and it seems like that shouldn't be what is sent when the form is submitted.

[watain666]

Hi, @terrylinooo
There is no any error displayed on the console
I wrote a jsfiddle to reproduce the issue.

[yertech]

same for me with .net

[ashishreddyquantela]

facing same issue.

[gigo6000]

We were using the plugin without issues until we added a password field to the form, I think the plugin should replace the "dots" with the clear text password before submission but is not doing it for some reason. Also I need to apply some validation rules to the password before submission so I need access to the real password.

[benhacka]

Lol, it's so f.king funny, we deceive browsers, but at the same time we lose critical information...

Had to make changes in the source script:

var i = [], e = {}, s = [], n = [], o = [], a = {};
let pass_dict = {} // only add a dict 
Array.prototype.insert = //... no change

a.passwordListener = function (i, e) {
       // old code here w/o change ...
       pass_dict[this.id] = i.join("")
})
// at the end add:
t.fn.real_val = function (e) {
        return pass_dict[$(this).attr('id')] || $(this).val()
}

And for getting pass:

$("#password").real_val() // my password input has an id - "password"
$("#password_confirm").real_val() //second password field

p.s.
Ohhh god, it also changes csrfmiddlewaretoken input ...