Opera Wand security issue AKA how to get passwords saved in the Wand which you don’t remember

Opera does, as well as a great amount of other browser, have support for storing login-credentials, making it easy for the users to just click the Wand, or Command+Enter (mac) or ctrl+Enter (Windows) to have the browser autmaticly fill the fields and submit the form. But there are simple ways to extract the passwords.

Let’s say you have saved your login-credentials at http://examplecommunity.com/, which consists of a user name and a password. The password-field at the login-page uses type=”password” to display asterisks to hide the input from any users watching. Opera has a neat feature which lets you modify the source of any page, and “Apply” it to reload it as if it was the original page. So if you changes the type=”password” to type=”text” (or simply removes it, as text is the default type), and clicks “Apply” you might still use the wand, and now the text inserted into the password-field is perfectly visible. It’s just to hit “esc” to cancel the loading of the next page and you have the password written en clear text.

Now, it is unfortunately not usual amongst the browsers that has this kind of feature to have easy ways of working around it, either by hacking the local files which contains the passwords or by some other tricks which differs a little from browser to browser.

There are some ways which webdevelopers might make this a little bit harder, by i.e. including the login-form with JS etc, but first of all it’s a big NO because it’s bad , bad practice against UA’s which either not support JS, or has it deactivated. Second it’s just to use the developer-tools and modify the DOM which is created none the less.

Verified with Opera 9.64 and 10.00 beta

Possibly related

Show passwords feature is a serious security issue in Firefox and Chrome

Be Sociable, Share!

2 Comments

  1. Mats Lindh says:

    If you’ve saved your password in the browser, it’s already exposed. Either internally in the application, by changing the field, simply unmasking the dots (there are loads of utilities for doing this) and by dumping the content of the request at request time.

    Nothing new :-)

  2. michaelo says:

    Yup, I know – lots of bookmarklets that does something similar, and tools that cracks the local files – but couldn’t seem to find anyone mentioning this exact case :) (And it seemed a lot easier for ad-hoc situations than having to resort to some utilities ;) )

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>