Can JavaScript access autofilled passwords, and is this considered a security risk? I know that stored passwords generally are strictly associated with a domain, but sometimes Chrome suggests the username and password from another website if it has no currently stored passwords for this domain.
(This may vary by browser, I guess)
Chrome autofills details under two circumstances:
- When explicitly told to remember credentials for a specific site
- When it sees fields it thinks it can autofill and the user accepts the suggested values (and these values won't be passwords)
While the fields can be read by JavaScript, they won't be populated without an explicit instruction from the user.
This does increase the level of risk, because a user might accidentally confirm the data by mistake, the level is considered low.
It is definitely possible(and doable) to store passwords locally with javascript.
This is because javascript itself is a client facing language.
If for example you wrote some javascript to change the attribute of an input field such that "type='password'" was instead "type=''" then the password would show on the users browser with no blocking blobs.
With javascript you also have access to take the value supplied by a password field regardless of whether or not it is blobbed out.
This is not so much a security vulnerability since it's really only usable on a clients machine and various technology built into modern browsers does a pretty ok job at securing such content.
This is also a reason it is best to keep up with the latest security software and patches.
As an example. If you were to use something allong the lines of localstorage.setitem() to store a suers password on their machine before they submitted the password, then the password would remain on their machine in plain text.
However, you could also design a web application to send a users password over an http request.
However, in practice this would be easily viewable by a user and more then likely flagged by multiple sources(Trouble).