5

Can JavaScript access autofilled passwords, and is this considered a security risk? I know that stored passwords generally are strictly associated with a domain, but sometimes Chrome suggests the username and password from another website if it has no currently stored passwords for this domain.

(This may vary by browser, I guess)

oink
  • 1,443
  • 2
  • 14
  • 23
  • 1
    I've never seen Chrome suggest a username or password for a different website. Only other fields. – Quentin Sep 05 '15 at 19:31
  • I suppose the scope of the question could be widened to include things like address suggestion privacy. – oink Sep 05 '15 at 19:40

2 Answers2

2

It is definitely possible(and doable) to store passwords locally with javascript.

This is because javascript itself is a client facing language.

If for example you wrote some javascript to change the attribute of an input field such that "type='password'" was instead "type=''" then the password would show on the users browser with no blocking blobs.

With javascript you also have access to take the value supplied by a password field regardless of whether or not it is blobbed out.

This is not so much a security vulnerability since it's really only usable on a clients machine and various technology built into modern browsers does a pretty ok job at securing such content.

This is also a reason it is best to keep up with the latest security software and patches.

As an example. If you were to use something allong the lines of localstorage.setitem() to store a suers password on their machine before they submitted the password, then the password would remain on their machine in plain text.

However, you could also design a web application to send a users password over an http request.

However, in practice this would be easily viewable by a user and more then likely flagged by multiple sources(Trouble).

WeeniehuahuaXD
  • 852
  • 3
  • 10
  • 30
  • If there are any cross site scripting flaws (XSS) on the website, then a browser pre-filling the values can enable an automated attack to work to grab user credentials and send them to the attacker. – SilverlightFox Sep 07 '15 at 10:13
  • I'm not entirely sure of your question here. But most browsers are packaged with methods to try and stop these attacks. Such as cors, however, you will want to take it into your own hands to better secure your website and do some research in regards to data security. – WeeniehuahuaXD Sep 07 '15 at 19:44
  • 1
    I wasn't asking anything. ;) Browser XSS filters are not infallible. I was stating that a browser prefilling a password on an XSS vulnerable site is a high risk vulnerability. – SilverlightFox Sep 07 '15 at 19:56
2

Chrome autofills details under two circumstances:

  1. When explicitly told to remember credentials for a specific site
  2. When it sees fields it thinks it can autofill and the user accepts the suggested values (and these values won't be passwords)

While the fields can be read by JavaScript, they won't be populated without an explicit instruction from the user.

This does increase the level of risk, because a user might accidentally confirm the data by mistake, the level is considered low.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335