Re: [whatwg] Password managers ignoring autocomplete='off' harming security

On 2 October 2014 01:24, Peter Kasting <pkasting@google.com> wrote:
> OK, but how does that cycle get started?  I could be wrong, but I believe in
> Chrome that we won't autofill your password from site X into a password
> field on unrelated site Y.  You have to have explicitly used that password
> on site Y to fill it in the future.  So if people are getting sensitive
> data, that was never supposed to be in these fields to begin with, filled
> into the fields, how is that happening?  Are browsers being aggressive about
> attempting to fill data from one site into another?  Does this happen across
> browsers?

The most basic case of autocompleting on the same site is the one
which is most problematic for us.

A traditional username/password to login to the site with autocomplete
enabled and functioning as expected - but then after the user has
logged in, they do something on a page with one of these (i'll now
call) masked fields, and without them noticing - that field is
autocompleted with their login password. Previously we could prevent
that behaviour by disabling autocomplete on these fields.

Note a more traditional example of this which might affect more sites
is something like a 'create new user' form where the password would be
erroneously set to the password of the user who is creating the
accounts.

We've had this problem reported to us about at least Chrome, Firefox and Safari.

cheers,
Dan

Received on Thursday, 2 October 2014 01:13:15 UTC