It turns out, your saved web passwords are less safe than you might think.
I was having some trouble logging into the Tech Insider content management system to work on a story, and asked one of our development team staff to have a look. He asked if I was sure I had typed in my password correctly. I said I was, but he looked dubious.
He right-clicked the password box, which of course only displayed asterisks (seen below):
He then clicked “Inspect Element,” which brought up the site’s code:
Looks like a mess, right? It is. But look closely and you’ll see the string “type=”password””. He deleted the word “password” after “type,” like so:
That instantly revealed my password in the content entry box:
“Is that your password?” he asked. It was (I’ve obviously changed it in the example above). I was stunned — the whole thing took less than five seconds.
(Note: this method works in Google Chrome. Other browsers will have somewhat different approaches, but I’m not here to provide a training manual on password-snatching.)
This trick works on Google, Facebook, Amazon, TD Bank and every other site I’ve tried.
The danger here is that many people have their passwords saved on their computers, so that password field will auto-populate the minute a page opens.
In a perfect world people would only save passwords on computers with motherboards soldered directly onto the steel walls of bio-locked vacuum chambers, like the one Ethan Hunt here is descending into in the iconic “Mission: Impossible” scene.
But how many people actually live that way?
I regularly leave my laptop unattended for short periods in rooms with friends and coworkers. My reasoning is that I trust all of those people individually, and if one of them were tempted to do something nefarious, the risk of my returning to catch them in the act would deter them from trying to log into any of my accounts on my device. And if they did, they probably wouldn’t have time to do much more than post an embarrassing Facebook status.
A trick this quick for learning someone’s password entirely changes the game. A person could, with a few taps on a keyboard, learn your password while you’re out of the room, and then erase all trace of what they’d done. Then they could access your account from any device, any time, anywhere, without you knowing. Trust me: as someone who once had several of my accounts remotely breached, this is something you definitely want to avoid.
In the short term, you can mitigate this danger by setting up two-step verification on all your accounts, locking your computer every time you step away, and using separate passwords on separate accounts. But in the long term, this seems like an obvious flaw for web developers to address.
I’m not the first person to write about this exploit, and we shouldn’t have to wait until celebrities fall victim to see it fixed. Web security is meant to protect the way people use the internet in the real world, not in an unrealistic “perfect” world.
Business Insider Emails & Alerts
Site highlights each day to your inbox.