Password harvesting with AutoComplete and JavaScript

The password textbox in a Web form is pretty much a joke. Sure the password is masked, but only visually. You can easily view the password with a small amount of JavaScript. For example, if you paste the following JavaScript into the browser URL bar when a password textbox is present you can see the password in clear text:

javascript:var x=document.getElementsByTagName(‘input’); myVals=”;for (var i=0;i<x.length;i++){z=x[i].getAttribute(‘type’); if(z==’password’)myVals=myVals+’The password value is: ‘+x.item(i).value+(‘\n\n’)};alert(myVals)


Here is the script in action:



Because passwords can be harvested in this manner the AutoComplete feature (the ability to save passwords) is very dangerous. If you were to use a computer in a kiosk environment or if your computer is compromised it would be possible for the attacker to review your browser history, navigate to the logon pages of those sites and extract your credentials through the AutoComplete feature and the above JavaScript.


How can you avoid this issue?

Developers
From a development point of view the AutoComplete attribute should be set to “off”. This can be done at the form or input level. This looks something like this at the FORM level:


<FORM autocomplete = “off”>


and like this at the INPUT level:


<INPUT type=”password” autocomplete=”off”>


Testers
From a testing perspective it is important to make sure you have AutoComplete enabled in the browser so that you can visually catch the risk if it occurs:


Internet Explorer 6 (Tools > Internet Options > Content tab > AutoComplete button):



FireFox (Tools > Options > Privacy > Passwords):



Don’t rely on your browser settings though, somehow they magically change once in a while. Do a manual review of the HTML source to validate the attribute is set. Or use the following JavaScript in the URL bar to extract it out:


Look for AutoComplete in INPUT tags:
javascript:var x=document.getElementsByTagName(‘input’); myVals=”;for (var i=0;i<x.length;i++){z=x[i].getAttribute(‘type’);if(z==’text’ || z==’password’)myVals=myVals+’ID attribute: ‘+x.item(i).id+’\n’+’Name attribute: ‘+x.item(i).name+’\n’+’AutoComplete: ‘+x[i].getAttribute(‘autocomplete’)+(‘\n\n’)};alert(myVals);


Look for AutoComplete in FORM tags:
javascript: myVals2=”;y=document.getElementsByTagName(‘form’); for (var n=0;n<y.length;n++){if (y.length!=null) myVals2=myVals2+’Form AutoComplete is: ‘+y[n].getAttribute(‘autocomplete’)+ (‘\n\n’)};alert(myVals2);


     


Users
To protect yourself as a user you should UNCHECK the “form” checkbox in IE6 or in FireFox you should UNCHECK the “Remember Passwords” checkbox or use the Master Password feature (which will prompt a master password to be entered before the autocomplete occurs).


Don’t forget, as described in previous posts, you can add the above JavaScript as browser shortcuts so you can quickly access/run the scripts. Do this by right clicking the above JavaScript/link and select the “bookmark this link” or “add to favorites”.

One Response to Password harvesting with AutoComplete and JavaScript

  1. Jared says:

    Does anyone else think that this shouldn’t actually happen? My gut feel is that this should be considered a cross-site scripting attack.

Leave a Reply

Your email address will not be published. Required fields are marked *