JavaScript Vulnerability: Acquiring Passwords From Your Find Box

JavaScript Vulnerability Did you know that for years now there has been a JavaScript vulnerability and your browser’s Find function to steal your password?

I can say I did not know about it until now!

What the JavaScript vulnerability does is you get lured to a website where you see everyone’s passwords that have been stolen.

All it took was faking your “Find” box. The box that comes up when you hit Ctrl+F or Apple+F on a browser.

How It Works

It’s very clever to say the least. It uses JavaScript so that instead of having you type into your Find box you are typing into another box entirely, which then records what you typed in.

Imagine you are reading an article about passwords leaked and they provide a list of all those which were released. The writers of this JavaScript vulnerability are assuming you will use the find feature of your browser to see if your password was stolen.

Though there is somewhat good news. This has only been done in proof of concept.

That is to say it was only demonstrated that it is possible as opposed to it actually happening.

However if it can be done as a proof of concept then who’s to say if you got told, “Your password may be listed on this site with a giant list of passwords?” At which point you panic, go to the site and do a Find for your password.

Protect Yourself From The JavaScript Vulnerability

For those that are JavaScript programmers and understand it, it uses a function called preventDefault. What this does is it cancels a called for operation but allows other handlers to be executed.

So what’s a person to do if not even their Find box is safe from having their password stolen? Well there’s the obvious don’t go to websites that seem suspicious.

But don’t use the Find box on your browser? I think I’d be asking for a bit much there.

Most of this problem falls on web browser developers to acknowledge this will be an issue at some point and change things on the browser itself. What they do and when, however is entirely up to them.

For now the only advice I can offer is be careful if you are told your password has been leaked and is listed on a website. If it happens, don’t go. It’s a trap.

What steps do you take to protect yourself from a JavaScript vulnerability? Are you concerned about the dangers JavaScript can cause? Share your opinion!

1 Comment

  1. great tip to protect , thank for clarifying


Submit a Comment

Your email address will not be published. Required fields are marked *