Information security is always one of those topics that is hard to report on, especially with the sheer number of devices available today. The problem lies in what is dangerous, what is bad, or what is no-big-deal. Frankly, opinions vary on the risks and threats involved.
One neat feature in Windows Phone is the ability to select text and hit the Search key. The Windows Phone OS copies the information over to Bing (or Cortana), and it lets you search without having to copy/paste the selection. It is super useful and certainly convenient for speedy searches.
However, there does seem to be one instance where this feature works where it should not: password fields.
The security vulnerability
When using Internet Explorer, text entered into a password field replace the characters with an asterisk. So instead of 'dummypassword' you see a series of *************. The mask is there so that if someone is overlooking your shoulder, they cannot see your password (unless they saw each letter being entered).
This security protection is standard across web browsers, operating systems, and it should be familiar to most of you.
The issue with Windows Phone is that you can select that field, highlighting the masked text and reveal the password using the Search key. Instead of searching for a series of asterisks, the password is revealed in full, pasted right into the search dialog screen.
Is this a big deal?
So the question is, how big a deal is this? Presumably, for someone to take advantage of this security hole, the person would need to be in possession of your phone.
One could argue in this situation, if your phone is already stolen and they have open access to the operating system, well, you have bigger problems. Passwords could be reset with email, which is likely on that very phone. Pictures, documents, notes, etc. are also all up for grabs.
Nevertheless, other operating systems like iOS do not allow this behavior.
Furthermore, if your phone is PIN unlocked, someone would not need to steal your phone to make usage of this trick. Many people let Internet Explorer manage their passwords, allowing the password box to auto-fill when logging into a website. A potential thief could just as easily go to the browser, load up Facebook and when it fills in the field, use this flaw to grab your password.
Fixed in Windows 10?
Although this flaw is exposed on Windows Phone 8.1, it looks like in Windows 10 for phone it cannot. We tried it on our Lumia 830 with the Windows 10 preview installed and were not able to replicate the vulnerability. Furthermore, Internet Explorer is supposed to be supplanted by the Project Spartan browser, giving Microsoft another shot at making sure this – and other – vulnerabilities do not exist.
Microsoft should fix this
We would consider this a low-level threat as it would require someone have access to your phone. Additionally, if IE is not managing your passwords, it is even harder.
Update: Microsoft's Security Response Center has responded to Peter's report filed earlier. The news is not so comforting.
"Thank you for contacting the Microsoft Security Response Center. Upon investigation we have determined it to not be a security vulnerability as it requires physical access (please see link below). For an in-depth discussion of what constitutes a product vulnerability, please see https://technet.microsoft.com/library/cc751383.aspx. "
However, Microsoft's Windows and Windows Phone teams can still patch this on their own, so we will keep an eye out to see if that happens.
The problem was brought to our attention by Peter M., and also posted on Reddit