- Keystroke logging
- Capturing clicks
- Hijacking form submit
- Setting up event listeners
- Stealing auto-complete data
- Data ex-filteration using XMLHttpRequest
- CSRF token stealing
Step 1 Open the desired website login-page
Go to the website url which you want to reveal the saved password using JS injection technique. In my case it is ‘Google login’. So, now we can the see the auto-fill has already filled the password-field with the asterisks or the dots.
Let say the url here is –
Now that we are at the login page with password field already filled with asterisks, now rewrite the whole url in the address bar with –
Don’t forget to include
Step 3 Saved password popup
So, now a pop-up pops up right in the browser revealing the saved password!
There are indeed a lot of measures you can choose from to save yourself from these kind of hacks.
Simple yet instant way –