Opera Wand security issue AKA how to get passwords saved in the Wand which you don’t remember
Opera does, as well as a great amount of other browser, have support for storing login-credentials, making it easy for the users to just click the Wand, or Command+Enter (mac) or ctrl+Enter (Windows) to have the browser autmaticly fill the fields and submit the form. But there are simple ways to extract the passwords.
Let’s say you have saved your login-credentials at http://examplecommunity.com/, which consists of a user name and a password. The password-field at the login-page uses type=”password” to display asterisks to hide the input from any users watching. Opera has a neat feature which lets you modify the source of any page, and “Apply” it to reload it as if it was the original page. So if you changes the type=”password” to type=”text” (or simply removes it, as text is the default type), and clicks “Apply” you might still use the wand, and now the text inserted into the password-field is perfectly visible. It’s just to hit “esc” to cancel the loading of the next page and you have the password written en clear text.
Now, it is unfortunately not usual amongst the browsers that has this kind of feature to have easy ways of working around it, either by hacking the local files which contains the passwords or by some other tricks which differs a little from browser to browser.
There are some ways which webdevelopers might make this a little bit harder, by i.e. including the login-form with JS etc, but first of all it’s a big NO because it’s bad , bad practice against UA’s which either not support JS, or has it deactivated. Second it’s just to use the developer-tools and modify the DOM which is created none the less.
Verified with Opera 9.64 and 10.00 beta