@benguild: The official homepage of Ben Guild.

Pull passwords from any webpage with one line of JavaScript

27 Nov 2010  |  Tags: ,

Try this out.

  1. Go to any page with a login prompt, such as Facebook.
  2. Type your information (including your password)
  3. Without anyone looking over your shoulder, paste this line of code into the address bar of your browser, and press ‘Enter/Return’:
javascript:var e=document.getElementsByTagName('input'),l=''; for (i=0;i<e.length;i++) { if (e[i].type=='password') { l=l+e[i].value+'\n'; } } alert(l);

Today, while coding, I realized that this command will display (in an alert)… every single “password” typed into a webpage. Without any additional software, it works in every web browser… such as: Google Chrome, Safari, Internet Explorer, and Firefox.

How to steal passwords from a web browser using JavaScript.

…But what about the ‘bullets’? ••••••••? They don’t matter. They imply security and privacy, that’s it. This uncovers that hidden information and displays it somewhere temporary and more user-friendly. Furthermore, if a website isn’t on a secure connection (web address beginning ‘https://’), your password isn’t even encrypted when your browser is communicating with that company. Anyone can monitor your internet connection and steal that information.

However, even “secure” websites are vulnerable to this trick… including email accounts and any banks or financial institutions. Why does it work, then? Having the ability to run JavaScript in the address bar of a web browser is a great tool for web developers, but this “tool” also opens security holes to those with physical access to your computer. Use of this particular function requires no technical skills whatsoever (beyond copying-and-pasting), and works great at: school, coffee shops, your office, the library, etc.

…Should running JavaScript in the address bar of a web browser be disabled by default, and require restart of the browser to take effect? Is that even enough?

Comments are in a testing stage. Enabled since 2013/09/09.