The tools for Google Chrome developers have a feature that allows you to alter the content of a web page in real time, you can try it yourself by changing CSS styles or even eliminating elements, in addition to many other things.
Exactly thanks to this it is possible to use the Chrome Developer Tools to show in plain text the passwords that we write in the browser and that the websites mask with asterisks. During the last five years that function has been reported 43 times as a bug and they have done it again a few days ago. But, Google explains why it is not such a thing and why it does not represent a security problem.
To “take advantage” of this, the user must first enter their password in the password field of the web page. Then you need to open the Chrome developer tools and locate the password field within the code. The next thing is to change the password field in the HTML code byaltering the “type” attribute and changing it from “password” to “text”.
Chrome will display the password in readable text instead of asterisks. Chrome engineers have christened the bug that is not a bug like ” Users can steal their own passwords.”
Why is not it a bug
The Chrome team has explained why it really is not a big deal and this is not a problem for the browser’s security model:
One of the most frequent reports we receive is about the disclosure of passwords using the function to inspect element (example). People reason that “If you can see the password, it should be sun bug.” However, this is just one of the physical-local attacks described in the previous example, and all of those points apply here as well.
In short, that you can use the Chrome tools to see the password behind the asterisks is not a security problem beyond any other you may suffer if someone with bad intentions is done with your computer physically.
It is not a remote attack, it is one for which you have to have the machine in your hands, and there are many ways to obtain a password in that case. Asterisks are not some magical form of security or encryption that hides the password from the browser, it’s just a way to prevent someone passing in front of your screen from seeing what you type in the password field. More you should worry about using strong passwords.