Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Opera Wand passwords...
Posted by: Kyran
Date: October 15, 2006 06:53PM

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f.type.toLowerCase() == "password") s += f.value + "\n"; } } if (s) alert("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();


I found this javascript while browsing my.opera.com - It feels very exploitable. Similar to Firefox passwords. This one doesn't even use anything from the opera object so no error will appear in other browsers. Someone could use it as part of a larger plaintext pass stealing javascript app.

- Edit -

I should elaborate. Run that javascript in your address bar after pressing CTRL+Enter/using the wand. Do it quickly, or press ESC while loading the next page. It will display your saved password.

- Kyran



Edited 1 time(s). Last edit at 10/15/2006 06:57PM by Kyran.

Options: ReplyQuote
Re: Opera Wand passwords...
Posted by: rsnake
Date: October 15, 2006 09:09PM

Interesting... That could be valuable, although, I'm having a tough time getting it to work until after I've entered a password. Otherwise it shows blank. Can you get it to work if you haven't typed in a password?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opera Wand passwords...
Posted by: Kyran
Date: October 15, 2006 09:18PM

I found this on a random site earlier, it wasn't my find. I haven't really played around with it much. I'll do some testing tomorrow morning with it.

But yeah, it doesn't seem as good as the firefox version right now since it doesn't automatically do it. I'll see if there is anything in the opera object in javascript that will do it.

- Kyran

Options: ReplyQuote
Re: Opera Wand passwords...
Posted by: bhm
Date: October 16, 2006 10:11PM

I don't see how this is specific to Opera Wands or even just to Opera itself. As far as I can tell, the javascript function just searches through all form elements on a page and if they are of type password it puts up an alert with the contents.

I went to gmail.com and ran the javascript before entering any password and the alert came up with no password. I tried it again, and typed in the password but did not hit submit. After running the javascript, it alerted what I just typed in the password box.

I did the same thing with Firefox and got the same results. Didn't bother to try it with IE because I don't see why it would be any different. It looks to me as though it's not touching wand passwords at all, it's just looking for password fields and this should be possible in any javascript enabled browser I would think.

Options: ReplyQuote
Re: Opera Wand passwords...
Posted by: Kyran
Date: October 16, 2006 11:14PM

Yes, but Opera wand only works with form inputs named certain things. Just expanding a bit on the Firefox password stealing ideas.

- Kyran

Options: ReplyQuote


Sorry, only registered users may post in this forum.