Are auto complete forms a security concern?

Question

I know when I fill out forms with address and email it will attempt to auto complete the rest of the information. Is it possible to include more hidden fields on the page in order to get more information with the auto complete than is visible to the user?

A real life example. I recently filed my taxes online which included my social and that made me think if this. Obviously a website should prevent saving of confidential info, but if those measures weren't in place could another site where I'm simply putting in my email secretly auto complete more info not visible like my social?

score 2 · Answer 1 · answered Feb 04 '15 at 00:34

2

Frankly, yes, there is an issue.

Assuming, of course, that your browser is auto-completing forms, it's possible that it will happily populate any applicable field it sees, whether you can see it or not.

That's why it is important to keep your auto-complete tool clean. Packages like LastPass add a large red icon to fields it auto-completes so that it is very obvious when it is adding data.

answered Feb 04 '15 at 00:34

schroeder

123,438
55
284
319

LastPass also prompts you before filling out credit card details. – SilverlightFox Feb 05 '15 at 09:36

score 1 · Answer 2 · edited Mar 17 '17 at 10:46

See also this question:

Should websites be allowed to disable autocomplete on forms or fields?

For me one of the issues is how a browser might be storing a password. There was an issue identified with Chrome a while back where it was trivial to reveal the passwords it was storing. There are probably issues with the other major browsers too. If you lull users into a false sense of security by letting them use autocomplete, it might be encouraging them into bad behavious and making their passwords easily accessible in other ways.

As an analogy, if you force users to set a complex password, so they write it on a post it and stick it on their screen, then it's not very secure. If you allow a user to save their password in autocomplete, but actually the browser is doing a lousy job of protecting it, then again it's not very secure.

score 0 · Answer 3 · answered Feb 04 '15 at 00:26

0

auto-complete by itself is not cross-site, it is form dependent, this means that another site cannot autocomplete your information based on the autocomplete information of another site however it is a security concern, this is because someone with access to your computer can easily obtain your information. This is of course low risk if only you use your PC (unless it is stolen) but can be hazardous for computers used by multiple persons.

answered Feb 04 '15 at 00:26

Kotzu

944
7
10

3

unless the OP meant that the browser is auto-completing, in which case, it might auto-complete form fields that are obscured from view – schroeder Feb 04 '15 at 00:29
You are right, I was thinking only code-wise. – Kotzu Feb 04 '15 at 00:36

Are auto complete forms a security concern?

3 Answers3