22 replies to this topic

[Ohm]

[...] yet they have better security for this stuff.

What makes you think that?

He's referring to the fact that you can't just change the type of the password fields with Javascript on IE. IE has some other interesting security features, like XSS protection you can turn on in IE 8. I wouldn't exactly call it the most secure browser out there though.

[duper]

Although it's a slightly more involved exploitation technique, you can rule out any JavaScript idiosyncrasies by using an active proxy to rewrite the input tag's type field value from password to text.

[Ohm]

Slightly more useful would be automatically redirecting through a proxy using ARP spoofing. The only thing that remains unknown there is will the browser blindly put the password into an input text field with the same name, even if it's not a password field? I should think the browsers are smarter than that, but seeing how easy this was in the first place, I'm not so sure about that.