Today I accidentally discovered one “feature” in Opera's Wand (password manager). This feature can both come to the rescue and harm. It consists in the fact that you can see the password that was previously saved in an elementary way. This is done in just a few seconds.

How it works

1. Open the login page where the login and password fields are highlighted in yellow (meaning that Wand can be applied).
2. Open the source (Ctrl + U), look for the input password (usually immediately after the first word “password” / “password”, which is instantly found through a search (Ctrl + F)).
3. Remove type="password" , apply changes (Ctrl + R), close source (Ctrl + W).
4. Activate Wand. The password will be visible immediately, as long as there is a request for authorization. You can quickly make PrintScreen, and you can wait for the entrance, and click "back." Password with login will be in full view.

All this can be done in a good way for 10-20 seconds.

I tried to play, it turned out that for the milestones of the sites I checked (including paypal!) , The chip worked. The exception was Habr - for him, I had a password in Wand for some reason did not want to be saved.
If everything around us were always white and fluffy, I would love to save passwords in Opera, and I would happily forget. Then, when it was necessary, for example, to exit from another browser, I would “remember” them, use the “feature” of Wand. But, unfortunately, I can't afford it, even on a personal laptop ...

I by no means want to say something against Opera. This is my favorite browser, I have used it and will use it. This topic is to once again give a thought to their security. It is clear that Wand uses a normal person only on a personal machine and not for all sites. The problem is that it is necessary to move away for a minute from the computer, for example, at work, as you are already under the threat that any password can be stolen. This is especially dangerous when a person uses only 1-2 passwords for everything that is possible.
')
Opera developers in the next versions could correct the work of Wand, namely, when saving the data, to remember which of the fields was a password. Even if the “for some reason” field then ceased to be a password, it would still output asterisks.

Website developers who are very concerned about the security of their users could also take into account such a method of “hacking accounts”, for example, when loading a page, using Javascript to check if the password field is type="password" , and taking action.

"Tests" were conducted on Opera 10.00 1 from under Windows.