oday’s post will discuss auto-complete vulnerabilities that Chrome does not support or manage properly. The good news is there is a workaround method and we’ll go over how to do it step by step. Read on for the details.
What are the Auto Complete Vulnerabilities?
There are two main security issues we need to discuss:
- Auto complete for text fields
Credit card fields (always considered text fields) are always vulnerable. If you do not employ methods for protection, then after the user sends the form, the credit card number will be automatically saved by the browser’s auto-complete feature, as demonstrated in the following image:
The next person to use the computer will be able to browse to the same page andsee the saved cc number.
- Auto complete for password fields
For example, in Login forms. After the login form is sent, Chrome suggests the user to save his password. In sensitive systems, It is recommended to prevent the browser from suggest it.
Now let’s go over the details on how to follow these recommendations.
Auto complete mitigation for text fields
The mitigation for AutoComplete on text fields is easy. Add the following attribute autocomplete=”off” to the relevant text fields. For example:
<input type=”text” name=”cc” autocomplete=”off” />
With this attribute, the browser will not save the data that the user entered into these fields in its AutoComplete feature.
Auto complete mitigation for password fields
The mitigation for password fields differs depending on the browser and its version.
In short, some browsers support the AutoComplete attribute into the password field just like in the text field:
<input type=”password” name=”pass” autocomplete=”off” />
Some browsers require the autocomplete being in the form of a tag:
<form action=”/xyz” method=”post” autocomplete=”off”>
But… Chrome does not support either.
Chrome and AutoComplete for password fields
The workaround that we found for Google Chrome is detailed here: (found by Simon:http://stackoverflow.com/a/22694173). What must be done is to add a hidden password field before the real password field. Chrome detects that the first password field (the hidden one) is empty, and processes it as the user having left a blank open field in the password and does not suggest that he saves his password.
Since Chrome and Firefox changed their logic (For example, FireFox offers to save the password, once a submit input is clicked, whether the form was submitted or not. I disabled the submission by <form onsubmit=”return false”> and still FireFox offers to save it) I had no other solution but to copy the credentials to a hidden form that does not contain a password field at all.
So, those are the nitty gritty details. Now it’s your turn to test your own forms with multiple options in our online lab environment: http://online.attacker-site.com/pages/autocomplete/autocomplete.php
I hope this helps you, and please feel free to leave comments below. If you have ideas for our next blog post, just let us know.
Talk to you next time, Israel