
Don't use autofill in your browser - DavidWanjiru
http://yoast.com/autocomplete-security/
======
viraptor
That's a misuse for the term "autocomplete" in my opinion. What he complains
about is "autofill", not "autocomplete" as I understand it. Autocomplete takes
the values you used previously and gives you suggestions for the stuff you're
typing in yourself. Autofill tries to guess what values are required and fills
them in without additional interactions.

They're very different mechanisms...

~~~
yaph
Fully agree, using "autocomplete" is misleading. The suggestions that go into
auto-complete fields come from the server, autofill from the client.

~~~
aaronem
You conflate autocompletion provided by the browser, based on values
previously submitted in identically named fields, and autocompletion against
values provided by the server.

------
AndrewDucker
Doesn't seem to be an issue in Firefox, as far as I can tell. Certainly didn't
fill any other fields for me.

~~~
Tobu
Even if it showed you the fields, it wouldn't be conclusive proof of a privacy
leak. Firefox shows links visited without exposing that property outside of
render context: [https://blog.mozilla.org/security/2010/03/31/plugging-the-
cs...](https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-
leak/)

~~~
eli
The fields in this demo are being echoed back from the server, so if you see
values in them then it is indeed proof they are being leaked.

~~~
Tobu
The fields appear immediately, the demo actually does this:

    
    
        $("#mine").submit( function() {
        $("#hide").css("height","auto");

------
mortenjorck
I remeber noting with concern several years ago that Safari was blindly saving
my credit card number along with all my other auto-fill data. Thing is, I
recall observing that behavior stopping around Safari 4 or so – the browser
appeared to be using something along the lines of the data detectors that put
calendar links on times mentioned in emails, and saving everything but the
credit card field.

------
crashandburn4
This is weird, I'm on chrome but it doesn't happen for me...

~~~
DanBC
I'm using Chrome version 30.0.1599.101 m on Vista. The form did what the post
said it would - all those extra fields got filled in.

~~~
next89
Same on W7, Chrome build 30.0.1599.101 m.

------
Sephiroth87
Safari tells you what is actually going to autocomplete, so you could easily
catch stuff that should not be sent...

~~~
kalleboo
This is true, and actually a pretty smart feature, but you have to take the
time to double-check (which I suspect most users won't).

~~~
cowsandmilk
Usually I agree that people will blindly click through, but I don't see people
clicking through this[1]. Especially if Safari said it would auto-fill your
credit card number and you weren't buying anything?

[1]
[https://www.evernote.com/shard/s356/sh/dcf7867e-eb16-4e0e-83...](https://www.evernote.com/shard/s356/sh/dcf7867e-eb16-4e0e-8387-6b72e5dbdd3b/ae46289e9b82a3897fb2a389b9ae708e)

~~~
jasonlotito
My understanding is that even credit card information is only available if the
person is specifically in a credit card field, and not just the name.

------
praseodym
Firefox and the Mozilla Suite have had a very similar problem since at least
2005: it autofilled usernames and passwords, which creates a problem with XSS
or user-generated content on the same domain. The bug was marked WONTFIX:
[https://bugzilla.mozilla.org/show_bug.cgi?id=280469](https://bugzilla.mozilla.org/show_bug.cgi?id=280469)

~~~
bad_user
Strange, but for me Firefox does not auto-fill passwords, unless you provide a
username (and of course, you opted into auto-filling). What did it do, as I
don't understand? Did it automatically auto-fill password fields that happened
to get loaded on the page?

~~~
praseodym
It indeed autofilled password fields on the page. Haven't re-tested it, but I
think most browsers still show the same behaviour.

------
Ellipsis753
Seems to work correctly (only name is submitted as one would expect) on
Firefox 24.0 and Chromium 30.0. Edit: This is on Gentoo Linux.

~~~
elwell
You have to have an autofill set up with more information than just your name.
You can tell if you have this set up because when the autofill choices show
they will have your address etc in gray next to the choices you are auto-
completing.

------
michaelmartin
I just don't store credit card details in my browser. Auto-complete for emails
is extremely handy and I use that all the time, but does purchasing things
online really need to be any easier?

I don't mind reaching for my wallet there; it forces you to make a conscious
decision to spend the money, which is at least slightly better than a 1-click
impulse.

~~~
elwell
Credit card details are not the main concern here (because they are separated
on Chrome), but you could send your address and phone number to a server
without expecting to send more than your name or email address.

------
wil421
I dont see the problem all that was filled in was my name. The other fields
were left blank. Even when I reentered it after the other fields popped up.

------
ck2
Should be easy to make a proof of concept page to scare people dumb enough to
have credit card auto-complete.

Just make hidden form fields for every field name you can think of, then make
some onload javascript to welcome them to the page with any fields that aren't
empty.

~~~
gizmo
Oh, c'mon! Storing credit card data in Autofill is actually recommended by
Google and considered secure:
[https://support.google.com/chrome/answer/142893?hl=en](https://support.google.com/chrome/answer/142893?hl=en)

You shouldn't call people dumb for following Google's instructions. I agree
with you that storing CC details in a web browser is a bad idea, but we should
take issue with Chrome here (and other browsers) not with regular "dumb"
users.

~~~
kalleboo
Apple are also touting credit card autofill with their new version of OS X,
with strong claims of security. [http://www.apple.com/osx/whats-new/#gallery-
icloud-keychain-...](http://www.apple.com/osx/whats-new/#gallery-icloud-
keychain-creditcard)

------
ams6110
I always disable all "auto" functions in any browser. Autocompete for forms
and URLs, remember passwords, everything I can find a switch for I turn off.
Makes the browser faster and I feel like I'm more in control of it.

~~~
ubercow13
If only you could turn off auto-rendering, that bugs the hell out of me

------
freewheeling
Web devs can recommend input fields not use autocomplete:
[http://www.w3schools.com/tags/att_input_autocomplete.asp](http://www.w3schools.com/tags/att_input_autocomplete.asp)

It's considered good practice to use it on login fields, but otherwise depends
on whether you think security or user preference should take priority.

~~~
imurray
Users that find this "good practice" annoying can override it with a
bookmarklet or extension:
[http://kb.mozillazine.org/User_name_and_password_not_remembe...](http://kb.mozillazine.org/User_name_and_password_not_remembered#Sites_prohibit_password_saving)

~~~
aaronem
I've noticed with Firefox (17 ESR) that, having once used Firebug to delete
the 'autocomplete="no"' attribute on a password field and then submitted the
form, it's not necessary to do so again; in whatever heuristic Firefox uses to
determine how to behave in that case, the existence of auto-completion data
for the field apparently overrides the advice given by the attribute. For
those leery of adding still more extensions to a Firefox profile already well
larded with them, this may be useful information.

------
gr3yh47
I'm sorry, I've never used autocomplete for a few privacy related reasons, and
this was one of them... this seems obvious, to the point where I thought the
title was written in a sarcastic 'duh' tone...

I figured not letting your (google especially) browser store personal details
was pretty much common privacy/security sense at this point.

------
webhat
Only occurred in Safari for me, not in Chrome or FireFox.

Also I was a little confused by autocomplete, I thought he meant for the
address bar.

~~~
elwell
Worked in Chrome for me.

------
thatmanjose
Tested this with Autocomplete off in both Safari and Chrome, but completed the
forms with Lastpass. Same problem.

------
rejoinder
Can someone explain the following page please? (As in what's being
demonstrated here.)

[https://yoast.com/research/autocompletetype.php](https://yoast.com/research/autocompletetype.php)

------
ondiekijunior
well I don't get the justification for the headline

~~~
DavidWanjiru
I added the word "apparently", coz I don't know if what the article claims is
true or not...

------
Aqueous
This seems like an easy fix for the layout engines. Only include a field on
autofill if it's currently visible on screen.

One might even classify this as a bug.

~~~
daveasdf
"Visible on screen" unfortunately is a hard thing to determine. You can easily
imagine a textbox with white text on a white background, or a very small
textbox, or a textbox that briefly pops up whenever you type a keystroke or
click the mouse, or...

Browsers really need to support some mechanism where the user can determine
precisely what information will be filled prior to it being handed over to the
website. This needn't be difficult; Chrome's existing autofill popup already
displays a subset of the information, the popup just needs to give a fuller
picture.

~~~
mintplant

        ----------------------------------------------------
        | This webpage is asking for information that your |
        | browser can automatically fill in for you. Check |
        | the box next to each item you'd like to include. |
        |                                                  |
        | [x] Email address - bob@example.com              |
        | [ ] Name - Bob Jones                             |
        | [ ] Address - 123 Sample Street                  |
        |                                                  |
        | [Autofill] [No thanks]                           |
        ----------------------------------------------------

------
tambourine_man
Just name and email here, but I guess I'm paranoid enough.

------
peter303
When your girlfriend borrows your computer and the browser sends her to porn
sites.

~~~
kolev
You don't use "private browsing"? BTW, Chrome supports multiple profiles now.

~~~
rejoinder
I guess that's for signed in users?

~~~
Groxx
No, it's for everything, though it might sound that way. Add a user on the
settings page, it'll open up the switching UI, no sign-in required. (unless
they changed that recently, of course. but that would suck.)

~~~
rejoinder
Nice hidden feature! Cheers.

------
AsymetricCom
Seems to be an issue with Chrome only, which is unsurprising.

------
markdown
1password works great, and is secure.

~~~
kalleboo
I just tried 1password Safari integration with the test form[0] and it had the
same problem as Safari's own autofill (it filled out the hidden fields).

[0][https://yoast.com/research/autocompletetype.php](https://yoast.com/research/autocompletetype.php)

