This demonstrates how the SuperGenPass bookmarklet can leak your master password or other details to a malicious or hacked site.


To demonstrate, you must have the bookmarlet "installed". Click the bookmarklet, type in an "example" master password (not your real one, not that it matters) and "Submit" it. Then click the button below to reveal the master password.

So What

This doesn't expose your password, it's all client side, but a trivial addition of a GET to a remote site with the password and username will allow it to be remotely collected.

P.S. This was tested with the Firefox bookmarklet on 17 Nov 2009, not guaranteed to work after that, in another browser, or another bookmarklet version.