1 00:00:00,930 --> 00:00:06,780 In this lesson, we're going to see how to hijack a password that someone is stored in their browser 2 00:00:06,960 --> 00:00:11,020 and see how to reveal that password in plain text. 3 00:00:11,550 --> 00:00:15,390 So let's switch over to Firefox or to Chrome. 4 00:00:15,390 --> 00:00:21,870 Any desktop browser, Firefox and Chrome are great for this because they allow us to use the inspect 5 00:00:21,870 --> 00:00:24,570 element or inspect option when we right. 6 00:00:24,570 --> 00:00:27,840 Click or control click on an element on the screen. 7 00:00:28,440 --> 00:00:33,960 So I've got a few log in pages here and unfortunately most of us do this at some point. 8 00:00:34,350 --> 00:00:35,940 We have the Web page. 9 00:00:35,940 --> 00:00:40,260 Remember our password, you get that handy little pop up after you log in. 10 00:00:40,260 --> 00:00:44,340 It says, Would you like Firefox or would you like Chrome to remember this password? 11 00:00:44,580 --> 00:00:47,850 And it is handy not to have to enter a password every time. 12 00:00:48,120 --> 00:00:54,270 Unfortunately, if you ever do this on a machine that has public access, like a machine, a computer 13 00:00:54,270 --> 00:01:03,240 at a library, a computer at a an Internet cafe, a computer at work or at school, you can leave your 14 00:01:03,240 --> 00:01:06,290 password susceptible to this kind of hijacking. 15 00:01:06,540 --> 00:01:11,340 We're going to see how to reveal passwords in both Firefox and Chrome. 16 00:01:11,340 --> 00:01:12,810 But you can do this in any browser. 17 00:01:13,140 --> 00:01:16,170 There are tools that will let you do this in any browser. 18 00:01:16,170 --> 00:01:21,190 But we're going to use just the browser itself to display those hijacked passwords. 19 00:01:21,900 --> 00:01:27,570 This doesn't take very much experience, very much ability, very many skills at all. 20 00:01:27,820 --> 00:01:34,080 So you can see why it's so important not to store your passwords in computers where you don't have complete 21 00:01:34,080 --> 00:01:35,490 control over the machine. 22 00:01:35,700 --> 00:01:39,210 And remember, you almost never have complete control of your machine. 23 00:01:39,510 --> 00:01:47,430 If you walk away from your computer at Starbucks and leave it on the desktop, on the table there, 24 00:01:47,580 --> 00:01:51,830 someone can walk up and do this attack just as easily as we're about to show it. 25 00:01:52,260 --> 00:01:54,810 So always protect the physical access. 26 00:01:54,810 --> 00:01:57,570 We're all the way back to lesson to section one. 27 00:01:57,900 --> 00:01:59,700 Physical access is total access. 28 00:01:59,880 --> 00:02:06,150 If somebody has access to your workstation at work, at home, school, they have access to your passwords. 29 00:02:06,160 --> 00:02:10,380 If you store them in your browser, it doesn't mean you can never use this feature. 30 00:02:10,380 --> 00:02:16,740 But you just need to be aware that any password you do choose to store in the browser is susceptible 31 00:02:16,740 --> 00:02:19,230 to this kind of hijacking attempt. 32 00:02:19,700 --> 00:02:21,800 So I have a few websites up here. 33 00:02:21,810 --> 00:02:28,020 Facebook is a good first one to start since we've used it for the phishing email example. 34 00:02:28,620 --> 00:02:34,470 Our user, Fred Flintstone, has entered his username and password and he's told the browser to remember 35 00:02:34,470 --> 00:02:35,370 that password. 36 00:02:35,760 --> 00:02:43,140 Well, all we have to do on either Chrome or newer installations of Firefox, we don't even have to 37 00:02:43,140 --> 00:02:46,860 have any special tools installed to make this attack work. 38 00:02:46,860 --> 00:02:47,220 We just. 39 00:02:47,220 --> 00:02:47,570 Right. 40 00:02:47,580 --> 00:02:55,800 Click on the password field itself or control click if we're on a Mac computer and come down to the 41 00:02:55,800 --> 00:03:00,750 inspect option and notice we are on the real Facebook page. 42 00:03:00,750 --> 00:03:01,980 This is secure. 43 00:03:02,430 --> 00:03:06,600 My password is stored in my browser though, and I've just typed it in from the keyboard. 44 00:03:06,960 --> 00:03:13,110 So if I come down to inspect and scroll over so I can see that password fields still on the screen, 45 00:03:13,530 --> 00:03:18,510 the inspect feature lets you look at the HTML behind a Web page. 46 00:03:18,810 --> 00:03:21,990 So this is what makes this field look like it does. 47 00:03:21,990 --> 00:03:24,450 It's an input field that's from a web form. 48 00:03:24,810 --> 00:03:26,780 I'll make this a little bigger in here. 49 00:03:27,630 --> 00:03:28,200 There we go. 50 00:03:28,200 --> 00:03:30,600 I've zoomed in just a little bit so we can see this clearer. 51 00:03:30,600 --> 00:03:35,250 But this is an input field and we can see the type is password. 52 00:03:35,250 --> 00:03:40,350 What's actually this little piece that makes this mask those characters? 53 00:03:40,350 --> 00:03:42,510 Because we know we just typed in regular characters. 54 00:03:42,510 --> 00:03:50,970 They just come up as dots or stars when we're on a Web page, changing this type from password to something 55 00:03:50,970 --> 00:03:51,180 else. 56 00:03:51,180 --> 00:03:57,570 And I can do this with just a double click, like a regular TextField to X and then hitting tab. 57 00:03:58,900 --> 00:04:01,120 Do you see what just happened to my password? 58 00:04:02,430 --> 00:04:04,110 Mean, zoom in a little more there. 59 00:04:10,600 --> 00:04:17,380 You mean just by changing one little thing and the HTML behind this page, I made my. 60 00:04:18,190 --> 00:04:21,040 Password, clear text. 61 00:04:21,940 --> 00:04:27,670 So let's see that one more time, I'm going to click back over here for the time and I'll control Zuckermann 62 00:04:27,670 --> 00:04:34,150 Z or I can just type password back tab notice it goes back to a password field. 63 00:04:34,160 --> 00:04:39,400 But if I double click on type and change that to anything, I can make it text. 64 00:04:39,400 --> 00:04:40,540 I can just make it. 65 00:04:40,540 --> 00:04:41,650 I can add one character. 66 00:04:41,650 --> 00:04:46,510 I can say pass word one and hit tab or enter. 67 00:04:47,570 --> 00:04:52,970 And notice that password is no longer hidden on the Web page, the same thing for Twitter. 68 00:04:53,160 --> 00:04:53,420 Right. 69 00:04:53,420 --> 00:04:57,830 Click, go to inspect, find the input. 70 00:04:58,430 --> 00:05:01,880 And when you click over here on the Element, you'll see that it highlights over here. 71 00:05:02,600 --> 00:05:04,700 Find the type equals password. 72 00:05:04,700 --> 00:05:07,760 Change that for anything else and hit tab. 73 00:05:08,930 --> 00:05:12,800 And your password is plain text banking. 74 00:05:14,790 --> 00:05:16,350 Click on Inspect. 75 00:05:17,660 --> 00:05:20,620 Change the type equals password to anything else. 76 00:05:22,010 --> 00:05:23,690 And your banking password. 77 00:05:24,340 --> 00:05:28,250 Let's talk about how it works when you've got these two separate screens. 78 00:05:28,250 --> 00:05:33,410 We mentioned back in phishing that phishing attempts work best when you got the username and the password 79 00:05:33,410 --> 00:05:35,570 together, like we do on most sites. 80 00:05:36,230 --> 00:05:38,660 But a lot of sites split this up. 81 00:05:38,660 --> 00:05:39,890 And there's a good reason for this. 82 00:05:39,890 --> 00:05:46,190 If I say Fred Flintstone and then I, I have my password entered in here and I walk away or I have it 83 00:05:46,190 --> 00:05:51,920 autofill, I just right click come to inspect, even though it's on two separate screens, if you remember 84 00:05:51,920 --> 00:05:52,820 that password. 85 00:05:54,300 --> 00:05:55,710 We just have to find. 86 00:05:59,570 --> 00:06:04,040 The type equals password, change it, Hattab. 87 00:06:04,980 --> 00:06:10,950 And there's the password for Fred Flintstone dotcom, same thing for Gmail, even though it has two 88 00:06:10,950 --> 00:06:12,010 separate screens. 89 00:06:12,420 --> 00:06:17,730 If I come here and inspect, you see type equals password, make it something else. 90 00:06:18,330 --> 00:06:19,200 Hit tab. 91 00:06:19,780 --> 00:06:21,710 There's Fred Flintstone's password. 92 00:06:22,270 --> 00:06:24,000 It's not just for Chrome either. 93 00:06:24,000 --> 00:06:25,710 We can minimize this. 94 00:06:25,710 --> 00:06:32,250 I've got a couple of pages loaded up here and Firefox in older versions of Firefox. 95 00:06:32,250 --> 00:06:36,210 We would have to do firebug installation, we'd have to add an extension. 96 00:06:36,480 --> 00:06:40,260 But these days we just come to the page where someone's stored their password. 97 00:06:40,560 --> 00:06:43,200 We right click come down to inspect element. 98 00:06:44,610 --> 00:06:50,610 Find that type equals password and change password to anything else, notice it's plain text right now, 99 00:06:50,610 --> 00:06:53,970 but as soon as I type one extra character and password in tab. 100 00:06:54,920 --> 00:07:02,450 I see Fred's password, the same thing with Twitter, right, click or command, click, inspect element, 101 00:07:02,930 --> 00:07:05,180 find where it says password change. 102 00:07:05,180 --> 00:07:12,860 That type equals password to anything else tab and your passwords have been hijacked. 103 00:07:13,340 --> 00:07:15,970 So be very careful if you ever have your browser. 104 00:07:15,980 --> 00:07:17,120 Remember passwords. 105 00:07:17,450 --> 00:07:24,080 Just know that if anyone has access to that computer, they have complete access to your passwords. 106 00:07:24,380 --> 00:07:25,880 This is really important stuff. 107 00:07:25,880 --> 00:07:32,990 If you have a shared computer or if you use public computers in any way, you can do this on your own 108 00:07:32,990 --> 00:07:36,800 personal computer for the passwords that are not most critical to you. 109 00:07:37,100 --> 00:07:43,640 But even then, you leave that laptop, you leave your desktop unattended, you could be open to browser 110 00:07:43,640 --> 00:07:50,630 highjacking like this, in this case, password highjacking from our browser, changing one character 111 00:07:50,630 --> 00:07:57,080 by going to inspect element and changing that character, changing the type of a password field to anything 112 00:07:57,080 --> 00:07:58,100 other than the password. 113 00:07:58,310 --> 00:08:01,100 We reveal the entire password in plain text. 114 00:08:01,390 --> 00:08:03,370 OK, this has been a useful introduction. 115 00:08:03,380 --> 00:08:10,550 Don't store those passwords any place that you don't have complete control over and remember, you don't 116 00:08:10,550 --> 00:08:12,800 have complete control over very much. 117 00:08:12,830 --> 00:08:14,150 We'll see in the next lesson.