SWT.PASSWORD exposure to UI inpection tool #3090
Description
Important
If you are reporting a crash on Linux, please check if webkit is mentioned in the crash file.
If yes, please try to set WEBKIT_DISABLE_COMPOSITING_MODE=1 and/or WEBKIT_DISABLE_DMABUF_RENDERER=1 environment variables.
If they prevent crashes, don't report the bug please, it is already known as #843
Describe the bug
I am using a simple PasswordOnlyApp where i am using SWT.PASSWORD in the widget for the UI and the issue is inspection tools like Winspy++ are able to inspect the password property and making it vulnerable security problem.
To Reproduce
to reproduce the issue i am attaching a simple code snippet name PasswordOnlyApp
// code snippet
import org.eclipse.swt.SWT;
import org.eclipse.swt.layout.FillLayout;
import org.eclipse.swt.widgets.Display;
import org.eclipse.swt.widgets.Shell;
import org.eclipse.swt.widgets.Text;
public class PasswordOnlyApp {
public static void main(String[] args) {
Display display = new Display();
Shell shell = new Shell(display);
shell.setLayout(new FillLayout());
shell.setSize(300, 80);
shell.setText("Password");
Text passwordField = new Text(shell, SWT.PASSWORD | SWT.BORDER);
shell.open();
while (!shell.isDisposed()) {
if (!display.readAndDispatch()) {
display.sleep();
}
}
display.dispose();
}
}
//
can run this standalone application with referenced lib org.eclipse.swt.win32.win32.x86_64-3.132.0.jar
and install Winspy++ and inspect the password field and you can see the password exposed.
Expected behavior
Password should not be exposed using any sort of UI inspection tool.
Screenshots
Screenshot attached.
Environment:
- Select the platform(s) on which the behavior is seen:
-
- Windows
-
Additional OS info (e.g. OS version, Linux Desktop, etc)
-
JRE/JDK version : right now using JDK 17
Version since
Eclipse or SWT version since when the behavior is seen
i am using org.eclipse.swt.win32.win32.x86_64-3.132.0.jar
Workaround (or) Additional context
for additional information i have tried Message Blocking (WM_GETTEXT): Modern Windows controls protect sensitive data by restricting the WM_GETTEXT message. While a tool like WinSpy++ normally sends this message to retrieve text, Windows checks the calling process. If the request comes from an external process, Windows returns an error or an empty string rather than the password. but tools like Winspy++ are not treated as external process so they are bypassing this as well and still able to inspect.
another thing i have tried i using passwordField.setEchoChar('*'); // Explicitly set masking character but this is also not helping.