Security flaw with AJAX logins

Many sites nowadays use AJAX to let users login.

However there is a (I think) huge security flaw with this design.

If the login failed the username/password has been used in a request made to the server.

If for some reason the user walks AFK at this point a malicious user can view the request that has been made by the user (firebug / devtools).

Is this correct?

Is there something we can do about it (don't think 开发者_JS百科so)?

Firebug only logs requests if it's active during the request. Besides that, it logs both regular POSTs and AJAX POSTs (same for GET, but using that for logins is retarded anyway as it would results in passwords being written to log files in plain text).

So there is no difference. Additionally a malicious user could simply install a keylogger if the real user is stupid enough to not lock his PC...

Oh, and if the credentials were completely invalid (not just at typo) it wouldn't matter at all...

On this same note even if Firebug wasn't installed who is to say that somebody didn't install a packet sniffer or keylogger to capture the login attempts.

I don't mean to make you paranoid but these are much easier ways to steal a password than the method you described and there isn't much that can be done about that.

At the liability level, the software can't be responsible for these kinds of physical security breaches. The local IT administrator or security professionals are responsible for enacting policies that prevent such occurences.

Surely if the credentials are incorrect (as the login failed) does it matter if some other user uses devtools on a user that has not shutdown firefox etc?

I suppose that may be true. Perhaps after sending the AJAX request the Javascript should erase the details on failure or just after sending the details.