This week, I wanted to make a simple experiment. For sure, all applications we develop make use of HTTPS to encrypt the login/password but what happens before?
Let’s say I typed my login/password but before sending them, I’m called by my colleague and I leave my computer open.
My password is protected by the HTML password input, right? It shows stars instead of the real characters.
Well, it’s stupidly easy to circumvent this.
If you use a developer workstation and have developer tools on your browser, just live edit the page and change type="password"
to type="text"
.
Guess what?
It works and displays the password in clear text.
You have been warned!