Browser Autocomplete Feature May Reveal Personal Data

Martin Brinkmann
Oct 25, 2011
Updated • Dec 16, 2014
Security
|
11

The autocomplete feature can be pretty handy at times. It helps you log in on your favorite website faster or load a website in your browser without having to enter the full web address. Researchers from Minded Security Labs have released a proof of concept that demonstrates how a third party website can get access to a browser's autocomplete entries (which means stealing).

The proof of concept works in Firefox, but the security researchers state that other browsers are also affected by it. They explicitly mention Microsoft's Internet Explorer and note that Google Chrome may be vulnerable as well.

They do however mention that an attack may not be as easy to implement for that browser due to the fact that Chrome does not "send keydown/keyup events to JS when the autocomplete drop down menu is focused".

Here is how the issue can be exploited:

It is possible to get key down / up events via JavaScript when a drop down autocomplete menu is shown. This means that it is possible to lure a user to play a game and steal arbitrary values from browsers autocomplete feature.

The proof of concept page demonstrates how third party websites can steal autocomplete information from Firefox. The page can check if autocomplete information are available for sites such as Twitter, Facebook, Gmail, Microsoft or Yahoo logins as well as three different types of inputs.

form autocomplete stealer

According to the security researcher, browser vendors should implement a feature into their browsers that ties the autocomplete input to a particular website. The only way to protect the data from being stolen is to disable the browser's autocomplete feature for forms and searches.

Firefox users can do that in the preferences under the Privacy tab.

firefox form history

Internet Explorer users can disable autocomplete under Internet Options > Content > AutoComplete > Settings.

internet explorer autocomplete

Are you using your browser's autocomplete feature for forms? Let me know what you think of the vulnerability in the comments. (Thanks Venkat)

Update: it is interesting to note that this is still working in recent versions of the Firefox web browser. If you use the demo page linked at the top of the article, you will find out that information are still retrieved by it even in the most recent version of Firefox (as of December 2014). I have not tried other browsers but it is likely that it is working in them as well.

Summary
Browser Autocomplete Feature May Reveal Personal Data
Article Name
Browser Autocomplete Feature May Reveal Personal Data
Description
Browsers can leak so-called auto-complete information on third-party websites if JavaScript is enabled in the browser.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Joey Cam said on November 3, 2011 at 9:08 pm
    Reply

    I have tons of logins / passwords for various sites and email accounts. But I do not use Firefox’s autocomplete feature mainly because anybody around any PC I use would easily be able to view all my website login info when I am AFK. They just need to go into Firefox’s Tools menu, Options > Security > Saved Passwords > Show Passwords and they will be able to view Usernames / Passwords to any site I have saved, unencrypted.

    My solution is to use a free “password safe” program named KeePass. I store all of my passwords on there and encrypt it with a password that is over 20 characters. There is also a KeePass portable app and an Android app so you can always have your passwords on the go. If you just want to use it at home there is a Firefox plug-in named KeeFox that integrates Firefox and KeePass very nicely.

  2. Ken Saunders said on October 26, 2011 at 9:29 pm
    Reply

    Martin,
    Any info on bookmarks in the awesome bar? Perhaps it’s just history related.
    I wonder if changing location bar preferences would be sufficient enough protection.
    Tools > Options > Privacy > Location Bar > When using the location bar, suggest: Bookmarks.
    I’d rather not opt out of saving form data. It would create a lot of extra typing for all of the sites that I visit and waste time.

    Kind of odd that they didn’t test out other browsers. Even suspicious. I mean, why just Firefox.

    Thanks for the heads up with this post.

  3. ACow said on October 26, 2011 at 12:14 am
    Reply

    It always seemed to me like this feature could be easily exploited… Paranoia often pays off.

    IIRC, there used to be an exploit that stole passwords saved by the browser (Opera specifically, I think) a while back.

  4. peter said on October 25, 2011 at 6:30 pm
    Reply

    Doesl this apply to saved passwords as well ?

    1. Martin Brinkmann said on October 25, 2011 at 6:38 pm
      Reply

      No, it only applies to auto complete entries, e.g. usernames, searches but not passwords.

      1. peter said on October 25, 2011 at 7:05 pm
        Reply

        thanks

  5. Midnight said on October 25, 2011 at 5:54 pm
    Reply

    Looks like nothing is sacred or safe on the ‘Net anymore!
    Too many security features and lock downs required to avoid private info.
    from being stolen!

    I have Firefox set to delete History, Cache, Cookies, Active Logins, etc. at shut down and when required, to avoid any invasion of my privacy!

    I also have a SonicWall box that prevents anybody from accessing my system!
    Seems to work well, so far!

  6. Dean said on October 25, 2011 at 5:29 pm
    Reply

    Am I correct in assuming (From what I’ve read) that Opera have already fixed this issue (Quite some time ago)?

  7. Robert Palmar said on October 25, 2011 at 5:02 pm
    Reply

    I had the autocomplete feature in Firefox disabled
    because I am not one to save any history too long.
    It looks like it was a lucky setting for security too.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.