Re: Security of Autocomplete - Good News!

Lisa

I'm interested in your opinion. One of COGA's main concerns was for the
security and safety of people with cognitive disabilities online.
Currently, 1.3.4 is basically mandating that authors add autofill which
appears to have a phishing vulnerability.

User autofills name and email, and positions inputs offscreen for all kinds
of other information which is autofilled... At a recent talk I gave on WCAG
2.1 during questons and answers, two participants independently raised this
concern. I had not mentioned security during the talk.

Will this SC help or hurt people with Cognitive disabilities?

Cheers,
David MacDonald



*Can**Adapt* *Solutions Inc.*

Tel:  613.235.4902

LinkedIn
<http://www.linkedin.com/in/davidmacdonald100>

twitter.com/davidmacd

GitHub <https://github.com/DavidMacDonald>

www.Can-Adapt.com <http://www.can-adapt.com/>



*  Adapting the web to all users*
*            Including those with disabilities*

If you are not the intended recipient, please review our privacy policy
<http://www.davidmacd.com/disclaimer.html>

On Wed, Feb 28, 2018 at 12:43 PM, Chaals Nevile <chaals@yandex.ru> wrote:

> On Wed, 28 Feb 2018 18:33:42 +0100, Alastair Campbell
> <acampbell@nomensa.com> wrote:
>
> John wrote:
>>
>> RE: Horizontal Security Review: I think that the time is *now* (as other
>>> specs come to APA for >their accessibility horizontal review at around this
>>> same time - i.e. CR or sooner).
>>>
>>
>> Maybe it has been submitted already, but noted, I’ll ask about that.
>>
>
> Not sure where it would have been submitted. You could check with the
> Security IG, or look in the security considerations section(s) of relevant
> specs.
>
> I am stunned that the browsers have not addressed this *STILL*.
>>>
>>
>> I’m a bit surprised given the mainstream press on it, and it does put
>> this SC in a difficult position.
>>
>
> I'm sad rather than surprised.
>
> I would be interested to know from Charles or Léonie:
>>
>> * Is there active work on the issue of phishing user-data via
>> autocomplete? [1]
>>
>
> Not that I know of. It would be very helpful if you filed the relevant
> issues (since you have a head start on us in understanding the problem, so
> have more chance to get the framing right first-time.
>
> * Where would a suitable place for that discussion to happen?
>>
>
> https://github.com/w3c/html/issues
>
> It occurs to me a good solution to prevent the phishing would be to add
>> visible (foreground) symbols next to fields which can be autocompleted, a
>> bit like Lastpass adds an icon inside of username/password inputs.
>>
>
> Some browsers do something like this. I am pretty sure it is the case, for
> example, for Yandex browser.
>
> The browser could ensure
>> the symbols are shown even if the inputs were hidden.  If those symbols
>> were user-configurable, that would also help with the personalisation
>> aspects as well (or at least be compatible).
>>
>
> 1] the trigger for this discussion was a comment about this article:
>> https://www.digitaltrends.com/computing/browser-bug-can-fill
>> -in-personal-information-in-hidden->fields/
>> If you fill in an autocomplete field (e.g. name), the site can have
>> visually hidden fields with >email, password, credit card number etc. It
>> can grab that data without the user realising because >it is auto-populated.
>>
>
> That rings a bell, actually. I'll have a search through the HTML issues
> history...
>
> cheers
>
> --
> Using Opera's mail client: http://www.opera.com/mail/
>
>

Received on Wednesday, 28 February 2018 19:50:57 UTC