The autocomplete feature can be pretty handy at times. It helps you log in on your favorite website faster or load a website in your browser without having to enter the full web address. Researchers from Minded Security Labs have released a proof of concept that demonstrates how a third party website can get access to a browser's autocomplete entries (which means stealing).
The proof of concept works in Firefox, but the security researchers state that other browsers are also affected by it. They explicitly mention Microsoft's Internet Explorer and note that Google Chrome may be vulnerable as well.
They do however mention that an attack may not be as easy to implement for that browser due to the fact that Chrome does not "send keydown/keyup events to JS when the autocomplete drop down menu is focused".
Here is how the issue can be exploited:
The proof of concept page demonstrates how third party websites can steal autocomplete information from Firefox. The page can check if autocomplete information are available for sites such as Twitter, Facebook, Gmail, Microsoft or Yahoo logins as well as three different types of inputs.
According to the security researcher, browser vendors should implement a feature into their browsers that ties the autocomplete input to a particular website. The only way to protect the data from being stolen is to disable the browser's autocomplete feature for forms and searches.
Firefox users can do that in the preferences under the Privacy tab.
Internet Explorer users can disable autocomplete under Internet Options > Content > AutoComplete > Settings.
Are you using your browser's autocomplete feature for forms? Let me know what you think of the vulnerability in the comments. (Thanks Venkat)
Update: it is interesting to note that this is still working in recent versions of the Firefox web browser. If you use the demo page linked at the top of the article, you will find out that information are still retrieved by it even in the most recent version of Firefox (as of December 2014). I have not tried other browsers but it is likely that it is working in them as well.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.