JavaScript Password DOMination: Easy Password Retrieval Using JavaScript and the HTML
by Jacob P. Silvia (jacob.silvia@gmail.com)
Introduction
Have you ever been on a public computer, gone to a site requiring a login, and realized that the person using the computer before you stored his or her password on that computer?
You can then log in to the account, play with the settings, or change the username to "Ima Tool" or the default language to Esperanto, but many sites won't let you change the password to one of your own choosing unless you know what the previous password was.
Thus, no matter what changes you may make, "Ima" will still be able to log in again, change the name and language back, and maybe even change the password.
Before I continue, I should mention that you should never really log into someone else's account and change settings, nor should you compromise anyone's password. This article is meant both to inform, by explaining how to retrieve passwords easily, and to caution, warning against passwords without taking the necessary precautions to secure them.
This is not the most technical article on password recovery.
In fact, it's so easy that a script kiddie could do it. I know that there exist tools, and maybe even browser extensions, that will retrieve stored passwords for you in moments, but for the sake of argument we're pretending that we're on a computer that we can't easily or quickly install software onto and that we only have access to the web browser.
We also want to make it look to the casual eavesdropper that we're actually just surfing the web, minding our own business. We don't want to, and indeed might not be allowed to, do something like running REGEDIT when we're, for example, at a library, or when at a the house of a friend who's in the other room, microwaving a Hot Pocket or something.
Supplies
You'll need a few things.
The first is access to a browser with stored passwords, preferably IE 6+ or Firefox 2+, as I haven't tested this method on other browsers. You'll also need a bit of knowledge of HTML DOM and JavaScript, the ability to increment and decrement integers by 1 in your head (i.e., to count), and the ability to remember two numbers.
It's a plus if you can type quickly and if you can distract your mark for long enough to carry out the password retrieval. It's also handy to carry a pen and a notebook in order to jot down your findings.
JavaScript and the HTML DOM
Now, a slight aside to discuss JavaScript and the HTML Document Object Model (DOM): if you weren't aware, most browsers allow you to execute JavaScript from the address bar. (See "JavaScript Injection," Autumn 2005)
It's a simple matter of typing javascript:command(), for some command, into the browser's address bar. For example, javascript:alert() will pop up a blank dialog box.
The HTML DOM is one of the best things to happen to people who like doing powerful things with otherwise - uninteresting web pages.
Using JavaScript, you can change practically any parameter on any tag, and you can even make new tags. You may, if you're so inclined, use JavaScript to modify the DOM and so alter the page you're viewing to suit your preferences, though this exercise is left to the reader.
Check out www.w3schools.com/js/js_htmldom.asp for an introduction to the HTML DOM.
There are three parts of the DOM that you need to concern yourself with are:
- document - The DOM's parent object.
- forms - The array that holds the document's forms.
- elements - The array that holds the elements of the form.
Simple, eh? Okay, so now that nobody's watching, it's time to work our magic.
Procedure
Step 1: Open the browser. If your mark is still on your shoulder, just surf to some inconspicuous site until you can get them to go away. Gone yet? Good.
Step 2: Surf to the site with the stored password. If there isn't a login screen on the main page, go to the login screen. See those dots, asterisks, or whatevers? That's what we're going to uncover.
Step 3: Type javascript:alert(document.forms.length) into the browser's address bar and press Enter.
Remember the number that pops up. Let's call it x.
If this step doesn't work, ensure that you typed everything correctly. If it still isn't working, you may have to resort to more guerrilla tactics to get your passwords. Sorry!
Step 4: For each number from 0 to x - 1, try javascript:alert(document.forms[x].name) and look for something promising, such such as "login" or a similar name.
If x is 1, then congratulations: you don't need to worry about this step!
Step 5: Once you have the right value of x, do: javascript:alert(document.forms[x].elements.length)
Remember this number; let's call it y.
Step 6: Now, for each number from 0 to y - 1, try javascript:alert(document.forms[x].elements[y].name) until you get "password", "pin", or something similar.
Step 7: Let your heart go tha-thump; you're about to see a password that you're not supposed to see!
Step 8: Type: javascript:alert(document.forms[x].elements[y].value)
Quickly memorize or write down the password. Taking note of the user ID will be a great help, too. Then, quickly surf back to your inconspicuous site before your friend comes back with that Hot Pocket or that batty old librarian wonders what you're doing. Whew! If you successfully kept your cool during this trial, go ahead and give yourself a pat on the back, and keep an eye on the papers for auditions to be in the next Mission: Impossible movie.
Comments
Stealing is wrong, at least for some senses of the words stealing, is, and wrong.
Don't abuse the knowledge presented in this article, because I'm not responsible if you somehow break a law or company policy by doing this.
As I mentioned earlier, this has only been tested on IE and Firefox. These are the only two browsers that many people think about; however, there are many other browsers out there - you know what they are, or Google does if you don't.
Feel free to try this on other browsers. If it works, huzzah; if not, boo-hoo.
Be aware that you may leave a trail of your actions, especially if your friend or library has some sort of keystroke tracking.
Feel free to come up with a more efficient or sneakier way to do this. I'd love to hear about it, and I'm sure that the rest of the readers would too. Or, if you would rather protect your "flock" from the "wolves" who will surely use this technique or some other method to compromise accounts, you may turn off the browser's password storage prompt and save everyone a little bit of a headache.
Thanks for reading!