Beware: Chrome's Auto-complete feature may send Credit Card information to web servers
The auto-complete feature in web browsers such as Google Chrome can be a very convenient time-saving feature, as it enables you to fill out forms with data that you previously entered in the browser. So, instead of filling out your address, phone number, name or email address manually, you simply type the first character,Â pick the appropriate result from the list and have it auto-filled for you.
In 2012, Google implemented Autocomplete Types in the company's own Chrome browser designed to improve the handling of forms in the web browser. The basic idea behind the feature was to provide users with means to auto-fill all fields of a form automatically by selecting one of the available auto-complete data sets they have used earlier in the browser.
This meant that users did not have to use auto-complete for each field individually, but could select an auto-complete set to fill out multiple forms at once.
That's in theory a pretty nice feature as it enables you to fill out forms quicker and make the whole process more convenient.
One major issue with the feature came to light recently. If you are a web developer you probably know that you can use hidden form fields on websites. A form on a website asking for your name could use hidden form fields to retrieve additional information thanks to the autocomplete-type feature.
Instead of just submitting your name to the service, you may also submit your email address, street address, and even credit card information.
The main problem here is that you do not have control over what is being sent to the website requesting the data, as Chrome does not provide you with those information.
Disabling auto-complete in Google Chrome
The only protection at the time of writing is to disable the auto-complete feature in the Chrome browser. Here is what you need to do to disable the feature in Google's browser:
- Load the website chrome://settings/ by typing it in the Chrome address bar and hitting enter.
- Click on show advanced settings at the bottom of the screen.
- Scroll down until you find Passwords and Forms.
- You can verify which autofill data exists with a click on "Manage Autofill settings"
- Uncheck "Enable Autofill to fill out web forms in a single click".
- Restart Google Chrome.
Note that third party extensions, plugins and programs that provide you with auto-complete functionality are not affected by this. Other browsers may also be affected, if the feature has been implemented in them as well (Opera 15+ for example). (via Yoast)Advertisement
I’m quite surprised that this has not been thought of before.
Even a confirmation would only be somewhat helpful since it is unclear for which items it has to be shown. Sure thing the credit-card data, but what about my home address? Should any site get the date of birth?
I see it in my head:
bastik (me): “So if I hit ‘b’ in the name/nickname field and select ‘bastik’ it fills out all available forms like email address and website and postal code?”
Developer: “Yes, it does!”
me: “Couldn’t websites abuse/exploit that somehow?”
Developer: “I don’t think so!”
Even without the knowledge of hidden forms, which shouldn’t be universal knowledge, although be known to a web-developer one can come up with other ways to exploit/abuse it. How about placing the forms one is not supposed to see in the footer, which is only shown after scrolling, while the button to submit is next to the forms you are willing to fill out? How about placing an image over the from the users should not see? I think there are probably more ways to do this. One just has to be smart enough.
Indeed, it’s easier than that – CSS absolute positioning with negative x or y positions will place an element off-screen. I don’t know of any browser that would take that into account (they don’t when copying text – see http://blog.lattyware.co.uk/post/13748143648/injecting-text-into-the-clipboard-with-pure-css for an example).
The obvious answer of simply not auto-filling hidden fields as not a complete solution to this problem.
Of course, even if you identified visible fields (not a trivial task), what about websites that have ‘folded away’ form sections that should be expanded and filled out? Arguably it’s better to be secure, even if it costs functionality, but it’s a shame.
Just one more reason to stay away from Google Chrome
This is just an Obvious thing of any auto insert type app or tool, it makes it more certain for people to be aware of what they do when on the Internet if that in itself is not reason enough!
I know that we try to make things “Dummy Proof!”, but never underestimate a Dummy, as they often find ways around all the boundaries and safety measures you put around them, it sorta reminds me of Homer Simpson’s bypassing all the safety protocols at the Nuclear Power Station just so that he can get a Cookie and Beer! LOL!….it’s always funny to watch!, but not funny when you get the repercussions of it!
All the Browsers have this type or similar feature, Chrome just puts more responsibility of this on the user. IE has something similar of which they fixed by removing it as a default, but you can turn it on and be no different than what Chrome does. The new fix for this would be to have a built-in selector for what you want to auto-fill in a way to secure such stuff as passwords and credit card info to be encrypted and password protected, but even that needs the user to be aware of what he is doing.
This might be stupid but Yoast wrecks my self-esteem with those little color-coded circles. The INK for ALL editor is so much more enjoyable, the goal is increasing the relevancy score up to 100. It instantly compares your text to similar stuff that are already live already published and then gives you concrete suggestions and tips to increase your relevancy.