Autofill, not so secure

Tutorial By 6 years ago

Autofill makes it easy to access regularly visited sites that require a password. When you go back you see your username and password conveniently filled in for you, and because the password is stared out nobody can get this, right? Wrong. If somebody opens up the autofilled page they can very easily use Javascript to reveal the contents of the password field to them.

I wont use any real websites to demonstrate how this works, so I will use a html page I have created.

Open this page then type anything into the password field. Go ahead and type this into the address bar and push return

javascript:alert(document.getElementById('password').value);

javascript:for(var i=0;i<document.getElementsByTagName('input').length;i++){if(document.getElementsByTagName('input')[i].type=="password"){alert(document.getElementsByTagName('input')[i].value);}}

Don’t use autofill for things you can’t afford to lose.

  • Can be done automatically like this:

    javascript:for(var i=0;i

  • Tom