Enabling Autocomplete Feature
Forms are widely used in web applications. They are used for accepting inputs from users for various purposes, like signing up, filling up surveys, submitting feedbacks, etc. Forms contain text fields wherein users enter data, along with labels that describe the purpose of the associated text-fields. Filling forms can be a time-consuming process, so the auto-complete feature is often used. When enabled, browsers keep a record of the inputs users enter, and whenever users start to fill-up the form, the browser automatically completes the remaining part based on the stored values. An attacker may get a clue of confidential information due to this feature. Let’s have an example to understand the risk better.
A user uses an online banking portal. He has to enter the username and password to get access to his account’s functionality. The auto-complete feature is enabled for the website. An attacker wants to steal money from the user’s account. He manages to access the user’s browser window on their computer. The browser has a record of the username and password strings that were entered to date. The attacker manages to login due to auto-filled data. Subsequently, he transfers money to an account of his choice.
The solution is to disable the auto-complete feature for sensitive fields. When disabled, browsers do not store user inputs. In case an attacker manages to access the browser and its stored data, the credentials won’t be found.