Unsafe Password Fields On Web Browsers
Most people nowadays (who still use a computer) rely on their web browser to store information to quickly fill forms such as addresses, personal information, usernames and passwords. When a password field is stored in your browser and later filled into a form, it will be automatically masked as usual on any password field.
If you wish to see what the password is, you must go to your browser’s passwords manager and it will usually require you to type in your OS’s user password before it will show you anything in plain text. However, since HTML is very developer friendly (and web browsers make it remarkably easy to debug websites with built in tools), altering a simple attribute in the password field will make it readable without asking for any password.
This is risky as anyone could perform this trick a lot faster than finding the desired password in the browser’s manager and doesn’t require any credentials. Picture yourself in a coffee shop where you stand up to get some napkins or sugar and leave your laptop unattended for a minute. That’s more than enough time to retrieve a stored password and go unoticed.
I’ve tested it on Google Chrome and Firefox and at the time of writing, both browsers being in their latest versions and the same technique shows me my stored passwords in plain text.
All you have to do is go to a login page where your username and password have been filled in by your browser and right click on the password field. Select “Inspect” (Chrome) / “Inspect Element (Firefox) and you’ll see the HTML code for the website on screen. All you have to do is search for the password field and then find the “type” attribute which will have a “password” value indicating the browser that it should visually mask that field with dots or whatever character it uses for hiding the password’s text. Replace the word “password” with the word “text” and press enter. That’s it, the password will be shown.
<input class=”form-control ng-valid ng-dirty” name=”password” ng-model=”password” type=”password“> (Replace “password” with “text”)
This of course doesn’t apply to all websites (but surely does apply to most of them) and only works if the user has stored the login credentials for the specific website you are testing. I’d report this as an issue but most likely it’s a feature that works as intended because it’s a debugging tool for developers. However, it doesn’t make sense to me that the password manager requires the user to provide a password before actually showing anything in text but it does input your password into the form without any security whatsoever.
Just something to take into account when storing passwords inside your browser as it might not be the safest idea.