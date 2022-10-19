Without a doubt, many of you who are reading this you regularly use the ‘Save password’ function of your browser. After all, it is the best way of not having to remember each one of the passwords that we create, or else (even when we have an excellent memory) it may be that we do it only because we do not want to go around typing the password every time we We enter the website in question.

But of course, that can lead to some new security issues. Because if the password in question is saved on our PC, anyone with access to our browser (family, co-workers) can access our passwords.

Now, now, this is where you tell me that to review the saved passwords, it is necessary to access the user profile of the browser, go to the passwords section and know our own operating system password so that the browser shows the one we are looking for.

That being said, it seems pretty safe, it’s true. But what if there was an extremely simple method that would allow anyone with access to our browser (provided we use Google Chrome or MS Edge) to reveal any saved passwords… with the sole condition of entering the login form of the website in question?

Suddenly we are not so convinced that the custom of saving passwords in the browser is so secure, right? Well, that method is what Pau Garcia-Milá (founder of projects like EyeOS) has reminded us of on his Twitter account with a short video in which it explains how to access that password. Let’s analyze it in detail.

So you can ‘deobfuscate’ passwords

First of all, we access a website that may have a password saved in the browser we are in. GMail, Twitter or Outlook can be safe bets, although in this case we are going to use Evernote. Once we try to log in, we will see that the password is shown to us obfuscated with dots or asterisks. We could simply click ‘Login’ (another potential security problem), but let’s imagine that what we are interested in is knowing the password to know if the user has used it in services with more ‘juicy’ information.





At this point, the next step is very simple: we right-click on the password field, We click on ‘Inspect’ and we will see how the web development tools are displayed on one side, which allows us to directly alter the code of the website that we are viewing. Automatically, the portion of the HTML code that causes the element that we have clicked to be displayed will be highlighted. In this case, a ‘input type=”password”…‘.





Well, we just have to select the text ‘password’ from the HTML code and change it to ‘text’and then press intro.





Automatically, having ceased to be a password field and become plain text, the content of said field (already entered there by the browser) will no longer be obfuscated and will be perfectly visible. Done, we no longer need to know the Windows password of the owner / usual user of the PC.





Via | Pau Garcia-Mila