Home News Information “The user can steal your own password” the inoffensive Chrome function that...

“The user can steal your own password” the inoffensive Chrome function that continues to be reported as a bug

Chrome Browser
Chrome Browser

The tools for Google Chrome developers have a feature that allows you to alter the content of a web page in real time, you can try it yourself by changing CSS styles or even eliminating elements, in addition to many other things.

Exactly thanks to this it is possible to use the Chrome Developer Tools to show in plain text the passwords that we write in the browser and that the websites mask with asterisks. During the last five years that function has been reported 43 times as a bug and they have done it again a few days ago. But, Google explains why it is not such a thing and why it does not represent a security problem.

To “take advantage” of this, the user must first enter their password in the password field of the web page. Then you need to open the Chrome developer tools and locate the password field within the code. The next thing is to change the password field in the HTML code byaltering the “type” attribute and changing it from “password” to “text”.

Chrome Bug
Image of Bleeping Computer

Chrome will display the password in readable text instead of asterisks. Chrome engineers have christened the bug that is not a bug like ” Users can steal their own passwords.”

Why is not it a bug

The Chrome team has explained why it really is not a big deal and this is not a problem for the browser’s security model:

One of the most frequent reports we receive is about the disclosure of passwords using the function to inspect element (example). People reason that “If you can see the password, it should be sun bug.” However, this is just one of the physical-local attacks described in the previous example, and all of those points apply here as well.

The reason why the password is masked is only to prevent disclosure through “shoulder-surfing” (that is, the passive view of your screen by people who are nearby), not because it is an unknown secret for the browser. The browser knows the password in many layers, including JavaScript, development tools, process memory, and so on. When you are physically present next to the computer, and only when you are physically present next to the computer, there are, and always will be, tools to extract the password from any of these places.

In short, that you can use the Chrome tools to see the password behind the asterisks is not a security problem beyond any other you may suffer if someone with bad intentions is done with your computer physically.

It is not a remote attack, it is one for which you have to have the machine in your hands, and there are many ways to obtain a password in that case. Asterisks are not some magical form of security or encryption that hides the password from the browser, it’s just a way to prevent someone passing in front of your screen from seeing what you type in the password field. More you should worry about using strong passwords.


  1. Admiring the commitment you put into your site and in depth information you offer.
    It’s great to come across a blog every once in a while that isn’t
    the same out of date rehashed information. Fantastic read! I’ve bookmarked your site and I’m including your RSS feeds to my Google account.


Please enter your comment!
Please enter your name here