Bug 289228

Summary: Password input fields are not masked in Safari on iOS 18
Product: WebKit Reporter: iigayasho
Component: FormsAssignee: WebKit Security Group <webkit-security-unassigned>
Status: NEW    
Severity: Normal CC: ap, bfulgham, cdumez, karlcow, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: Safari 18   
Hardware: iPhone / iPad   
OS: iOS 18   
Attachments:
Description Flags
screenshot (no repro)
none
Visible password characters on Safari (iOS 18) none

iigayasho
Reported 2025-03-06 01:27:25 PST
Description In Safari on iOS 18, password input fields do not mask the entered characters while typing. Instead of being replaced with dots (•), the text remains visible in plaintext. This behavior exposes user credentials and is a potential security risk. Steps to Reproduce 1. Open a website that requires account creation while not logged in. 2. Navigate to the account registration page. 3. Enter an email, username, and any other required information, then tap on the password field. 4. The password field turns yellow, and a "Use Strong Password?" dialog appears. Tap "Not Now". 5. Tap the password field again. 6. Begin typing a password it appears in plaintext instead of being masked. 7. Tap outside the password field the entered password is now masked as expected. Expected Behavior - The entered password should be masked with dots (•) while typing, as is standard behavior for password fields. Actual Behavior - The password is displayed in plaintext while typing and only becomes masked after tapping outside the field.
Attachments
screenshot (no repro) (145.07 KB, image/png)
2025-03-29 13:43 PDT, Alexey Proskuryakov 		no flags
Details
Visible password characters on Safari (iOS 18) (201.47 KB, image/png)
2025-03-31 18:34 PDT, iigayasho 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-03-06 01:27:33 PST
<rdar://problem/146369820>
Alexey Proskuryakov
Comment 2 2025-03-06 17:25:35 PST
Thank you for the report! Could you please provide detailed steps to reproduce? When logging in to bugs.webkit.org on an iPhone, I see the behavior that it's had forever, namely that the character in the password field shows up momentarily, and then gets replaces with the dot. If there is a specific website where the characters remain visible, please share the details! I know that some have that behavior as an option that can be chosen by the user.
iigayasho
Comment 3 2025-03-26 02:11:12 PDT
Thank you for your response. Please find below the detailed steps to reproduce the issue: Steps to reproduce: 1.On an iPhone running iOS 18.3.2, navigate to linkedin.com. 2.Go to the account sign-up page and fill in the information except for the password. 3.Tap the password input field. A dialog appears asking whether to use a strong password. 4.At this point, the password field is highlighted in yellow. 5.Choose “Not Now” on the dialog. 6.Tap the password field again and start entering a password. 7.As you begin typing, the password is displayed in plain text instead of being masked. 8.Once you tap outside the password field, the entered password is then masked as expected. Expected behavior: •The password should be masked with dots (•) while typing, as per the standard behavior of password fields. Actual behavior: •The password is shown in plain text while typing, and only becomes masked after tapping outside the password field.
Alexey Proskuryakov
Comment 4 2025-03-29 13:43:55 PDT
Created attachment 474758 [details] screenshot (no repro) Thank you! I cannot reproduce this, not even when changing the site language to Japanese. Attaching a screenshot. Could you please attach a screenshot of how it looks for you?
iigayasho
Comment 5 2025-03-31 18:34:22 PDT
Created attachment 474785 [details] Visible password characters on Safari (iOS 18)
iigayasho
Comment 6 2025-03-31 18:36:55 PDT
Thanks for checking! Here’s how it looks on my side.
Alexey Proskuryakov
Comment 7 2025-04-01 09:17:06 PDT
I'm not sure what to think. Looks like you are getting a slightly different version of the website (e.g. "Remember me" vs. "Keep me logged in").
Note You need to log in before you can comment on or make changes to this bug.