Saturday, 30 May 2009

Finding Hotmail Passwords using JavaScript

I was messing around with JavaScript, and it seems that there is a way to find a Hotmail password if it has been typed into the password textbox. For this to work, the form must not yet have been submitted.

Apparently, typing the code

javascript:alert(document.getElementById('$').value);

where $ = name of the password textbox
as the URL may cause the password to be displayed in an alert box. The code is case-sensitive.

In the case of Hotmail, the textbox name is i0118:

Finding Hotmail Passwords using JavaScript - Ashvin Sawmynaden's Blog

I have tested this on a couple of other websites, as demonstrated below:

Finding Hotmail Passwords using JavaScript - Ashvin Sawmynaden's Blog
Finding Hotmail Passwords using JavaScript - Ashvin Sawmynaden's BlogI have only tried this in Firefox, but I am assuming it would also work in Internet Explorer and other browsers. Obviously, given the steep requirements for this to work, the likelyhood of successfully obtaining access to an account using this method is minimal at best and would probably not work in a real-life situation. I however think that tons of pranks can be made by exploiting this bug and using it on non-savvy PC users.