1
00:00:00,930 --> 00:00:06,780
In this lesson, we're going to see how to hijack a password that someone is stored in their browser

2
00:00:06,960 --> 00:00:11,020
and see how to reveal that password in plain text.

3
00:00:11,550 --> 00:00:15,390
So let's switch over to Firefox or to Chrome.

4
00:00:15,390 --> 00:00:21,870
Any desktop browser, Firefox and Chrome are great for this because they allow us to use the inspect

5
00:00:21,870 --> 00:00:24,570
element or inspect option when we right.

6
00:00:24,570 --> 00:00:27,840
Click or control click on an element on the screen.

7
00:00:28,440 --> 00:00:33,960
So I've got a few log in pages here and unfortunately most of us do this at some point.

8
00:00:34,350 --> 00:00:35,940
We have the Web page.

9
00:00:35,940 --> 00:00:40,260
Remember our password, you get that handy little pop up after you log in.

10
00:00:40,260 --> 00:00:44,340
It says, Would you like Firefox or would you like Chrome to remember this password?

11
00:00:44,580 --> 00:00:47,850
And it is handy not to have to enter a password every time.

12
00:00:48,120 --> 00:00:54,270
Unfortunately, if you ever do this on a machine that has public access, like a machine, a computer

13
00:00:54,270 --> 00:01:03,240
at a library, a computer at a an Internet cafe, a computer at work or at school, you can leave your

14
00:01:03,240 --> 00:01:06,290
password susceptible to this kind of hijacking.

15
00:01:06,540 --> 00:01:11,340
We're going to see how to reveal passwords in both Firefox and Chrome.

16
00:01:11,340 --> 00:01:12,810
But you can do this in any browser.

17
00:01:13,140 --> 00:01:16,170
There are tools that will let you do this in any browser.

18
00:01:16,170 --> 00:01:21,190
But we're going to use just the browser itself to display those hijacked passwords.

19
00:01:21,900 --> 00:01:27,570
This doesn't take very much experience, very much ability, very many skills at all.

20
00:01:27,820 --> 00:01:34,080
So you can see why it's so important not to store your passwords in computers where you don't have complete

21
00:01:34,080 --> 00:01:35,490
control over the machine.

22
00:01:35,700 --> 00:01:39,210
And remember, you almost never have complete control of your machine.

23
00:01:39,510 --> 00:01:47,430
If you walk away from your computer at Starbucks and leave it on the desktop, on the table there,

24
00:01:47,580 --> 00:01:51,830
someone can walk up and do this attack just as easily as we're about to show it.

25
00:01:52,260 --> 00:01:54,810
So always protect the physical access.

26
00:01:54,810 --> 00:01:57,570
We're all the way back to lesson to section one.

27
00:01:57,900 --> 00:01:59,700
Physical access is total access.

28
00:01:59,880 --> 00:02:06,150
If somebody has access to your workstation at work, at home, school, they have access to your passwords.

29
00:02:06,160 --> 00:02:10,380
If you store them in your browser, it doesn't mean you can never use this feature.

30
00:02:10,380 --> 00:02:16,740
But you just need to be aware that any password you do choose to store in the browser is susceptible

31
00:02:16,740 --> 00:02:19,230
to this kind of hijacking attempt.

32
00:02:19,700 --> 00:02:21,800
So I have a few websites up here.

33
00:02:21,810 --> 00:02:28,020
Facebook is a good first one to start since we've used it for the phishing email example.

34
00:02:28,620 --> 00:02:34,470
Our user, Fred Flintstone, has entered his username and password and he's told the browser to remember

35
00:02:34,470 --> 00:02:35,370
that password.

36
00:02:35,760 --> 00:02:43,140
Well, all we have to do on either Chrome or newer installations of Firefox, we don't even have to

37
00:02:43,140 --> 00:02:46,860
have any special tools installed to make this attack work.

38
00:02:46,860 --> 00:02:47,220
We just.

39
00:02:47,220 --> 00:02:47,570
Right.

40
00:02:47,580 --> 00:02:55,800
Click on the password field itself or control click if we're on a Mac computer and come down to the

41
00:02:55,800 --> 00:03:00,750
inspect option and notice we are on the real Facebook page.

42
00:03:00,750 --> 00:03:01,980
This is secure.

43
00:03:02,430 --> 00:03:06,600
My password is stored in my browser though, and I've just typed it in from the keyboard.

44
00:03:06,960 --> 00:03:13,110
So if I come down to inspect and scroll over so I can see that password fields still on the screen,

45
00:03:13,530 --> 00:03:18,510
the inspect feature lets you look at the HTML behind a Web page.

46
00:03:18,810 --> 00:03:21,990
So this is what makes this field look like it does.

47
00:03:21,990 --> 00:03:24,450
It's an input field that's from a web form.

48
00:03:24,810 --> 00:03:26,780
I'll make this a little bigger in here.

49
00:03:27,630 --> 00:03:28,200
There we go.

50
00:03:28,200 --> 00:03:30,600
I've zoomed in just a little bit so we can see this clearer.

51
00:03:30,600 --> 00:03:35,250
But this is an input field and we can see the type is password.

52
00:03:35,250 --> 00:03:40,350
What's actually this little piece that makes this mask those characters?

53
00:03:40,350 --> 00:03:42,510
Because we know we just typed in regular characters.

54
00:03:42,510 --> 00:03:50,970
They just come up as dots or stars when we're on a Web page, changing this type from password to something

55
00:03:50,970 --> 00:03:51,180
else.

56
00:03:51,180 --> 00:03:57,570
And I can do this with just a double click, like a regular TextField to X and then hitting tab.

57
00:03:58,900 --> 00:04:01,120
Do you see what just happened to my password?

58
00:04:02,430 --> 00:04:04,110
Mean, zoom in a little more there.

59
00:04:10,600 --> 00:04:17,380
You mean just by changing one little thing and the HTML behind this page, I made my.

60
00:04:18,190 --> 00:04:21,040
Password, clear text.

61
00:04:21,940 --> 00:04:27,670
So let's see that one more time, I'm going to click back over here for the time and I'll control Zuckermann

62
00:04:27,670 --> 00:04:34,150
Z or I can just type password back tab notice it goes back to a password field.

63
00:04:34,160 --> 00:04:39,400
But if I double click on type and change that to anything, I can make it text.

64
00:04:39,400 --> 00:04:40,540
I can just make it.

65
00:04:40,540 --> 00:04:41,650
I can add one character.

66
00:04:41,650 --> 00:04:46,510
I can say pass word one and hit tab or enter.

67
00:04:47,570 --> 00:04:52,970
And notice that password is no longer hidden on the Web page, the same thing for Twitter.

68
00:04:53,160 --> 00:04:53,420
Right.

69
00:04:53,420 --> 00:04:57,830
Click, go to inspect, find the input.

70
00:04:58,430 --> 00:05:01,880
And when you click over here on the Element, you'll see that it highlights over here.

71
00:05:02,600 --> 00:05:04,700
Find the type equals password.

72
00:05:04,700 --> 00:05:07,760
Change that for anything else and hit tab.

73
00:05:08,930 --> 00:05:12,800
And your password is plain text banking.

74
00:05:14,790 --> 00:05:16,350
Click on Inspect.

75
00:05:17,660 --> 00:05:20,620
Change the type equals password to anything else.

76
00:05:22,010 --> 00:05:23,690
And your banking password.

77
00:05:24,340 --> 00:05:28,250
Let's talk about how it works when you've got these two separate screens.

78
00:05:28,250 --> 00:05:33,410
We mentioned back in phishing that phishing attempts work best when you got the username and the password

79
00:05:33,410 --> 00:05:35,570
together, like we do on most sites.

80
00:05:36,230 --> 00:05:38,660
But a lot of sites split this up.

81
00:05:38,660 --> 00:05:39,890
And there's a good reason for this.

82
00:05:39,890 --> 00:05:46,190
If I say Fred Flintstone and then I, I have my password entered in here and I walk away or I have it

83
00:05:46,190 --> 00:05:51,920
autofill, I just right click come to inspect, even though it's on two separate screens, if you remember

84
00:05:51,920 --> 00:05:52,820
that password.

85
00:05:54,300 --> 00:05:55,710
We just have to find.

86
00:05:59,570 --> 00:06:04,040
The type equals password, change it, Hattab.

87
00:06:04,980 --> 00:06:10,950
And there's the password for Fred Flintstone dotcom, same thing for Gmail, even though it has two

88
00:06:10,950 --> 00:06:12,010
separate screens.

89
00:06:12,420 --> 00:06:17,730
If I come here and inspect, you see type equals password, make it something else.

90
00:06:18,330 --> 00:06:19,200
Hit tab.

91
00:06:19,780 --> 00:06:21,710
There's Fred Flintstone's password.

92
00:06:22,270 --> 00:06:24,000
It's not just for Chrome either.

93
00:06:24,000 --> 00:06:25,710
We can minimize this.

94
00:06:25,710 --> 00:06:32,250
I've got a couple of pages loaded up here and Firefox in older versions of Firefox.

95
00:06:32,250 --> 00:06:36,210
We would have to do firebug installation, we'd have to add an extension.

96
00:06:36,480 --> 00:06:40,260
But these days we just come to the page where someone's stored their password.

97
00:06:40,560 --> 00:06:43,200
We right click come down to inspect element.

98
00:06:44,610 --> 00:06:50,610
Find that type equals password and change password to anything else, notice it's plain text right now,

99
00:06:50,610 --> 00:06:53,970
but as soon as I type one extra character and password in tab.

100
00:06:54,920 --> 00:07:02,450
I see Fred's password, the same thing with Twitter, right, click or command, click, inspect element,

101
00:07:02,930 --> 00:07:05,180
find where it says password change.

102
00:07:05,180 --> 00:07:12,860
That type equals password to anything else tab and your passwords have been hijacked.

103
00:07:13,340 --> 00:07:15,970
So be very careful if you ever have your browser.

104
00:07:15,980 --> 00:07:17,120
Remember passwords.

105
00:07:17,450 --> 00:07:24,080
Just know that if anyone has access to that computer, they have complete access to your passwords.

106
00:07:24,380 --> 00:07:25,880
This is really important stuff.

107
00:07:25,880 --> 00:07:32,990
If you have a shared computer or if you use public computers in any way, you can do this on your own

108
00:07:32,990 --> 00:07:36,800
personal computer for the passwords that are not most critical to you.

109
00:07:37,100 --> 00:07:43,640
But even then, you leave that laptop, you leave your desktop unattended, you could be open to browser

110
00:07:43,640 --> 00:07:50,630
highjacking like this, in this case, password highjacking from our browser, changing one character

111
00:07:50,630 --> 00:07:57,080
by going to inspect element and changing that character, changing the type of a password field to anything

112
00:07:57,080 --> 00:07:58,100
other than the password.

113
00:07:58,310 --> 00:08:01,100
We reveal the entire password in plain text.

114
00:08:01,390 --> 00:08:03,370
OK, this has been a useful introduction.

115
00:08:03,380 --> 00:08:10,550
Don't store those passwords any place that you don't have complete control over and remember, you don't

116
00:08:10,550 --> 00:08:12,800
have complete control over very much.

117
00:08:12,830 --> 00:08:14,150
We'll see in the next lesson.