After a few tests on Yahoo and Facebook, I realized that after filling in my username and password and clicking Login, with the developer tools open in the Network option (Chrome or Firefox) I noticed that if I stop sending the data on the page, the POST
method already appears before the refresh page.
In other words, before the data is sent to the page the developer tools are already able to intercept the POST
and its header.
Inside the header I found the item FORMDATA
, which contained my password, exactly as I typed it, as below.
Then I ask: is this normal? Even Yahoo's site being secure, like SSL and everything else? Is there any way to encrypt this data before sending?
I imagine that if a computer is infected with malware or some hidden script is running in the browser, they can intercept POST
at some point and get the user's password very easily.