WebCore, as used in Apple Safari before 3.1, does not properly mask the password field when reverse conversion is used with the Kotoeri input method, which allows physically proximate attackers to read the password.
docs.info.apple.com/article.html?artnum=307563
lists.apple.com/archives/security-announce/2008/Mar/msg00000.html
secunia.com/advisories/29393
www.securityfocus.com/bid/28290
www.securityfocus.com/bid/28326
www.securitytracker.com/id?1019656
www.us-cert.gov/cas/techalerts/TA08-079A.html
www.vupen.com/english/advisories/2008/0920/references
exchange.xforce.ibmcloud.com/vulnerabilities/41329