- From: John Foliot <john.foliot@deque.com>
- Date: Wed, 7 Mar 2018 10:35:13 -0500
- To: "lisa.seeman" <lisa.seeman@zoho.com>
- Cc: David MacDonald <david100@sympatico.ca>, Chaals Nevile <chaals@yandex.ru>, WCAG <w3c-wai-gl@w3.org>
- Message-ID: <CAKdCpxyPXp58YSymvtkrQyBh73k3K_P8CAm39vXK_n_Amx3rAg@mail.gmail.com>
Hi Lisa, Please see my email from Feb. 28th <https://lists.w3.org/Archives/Public/w3c-wai-gl/2018JanMar/1371.html>. A current example of the security concern can be found here: https://anttiviljami.github.io/browser-autofill-phishing/ JF On Wed, Mar 7, 2018 at 10:20 AM, lisa.seeman <lisa.seeman@zoho.com> wrote: > Hi David > > From what we saw last time we looked into this issue the concerns about > autofil and security were debunked about five years ago. DO you have an > updated source for this concern that is reputable and current? (the link > below is a 404) > > All the best > > Lisa Seeman > > LinkedIn <http://il.linkedin.com/in/lisaseeman/>, Twitter > <https://twitter.com/SeemanLisa> > > > > > ---- On Wed, 28 Feb 2018 21:50:28 +0200 *David > MacDonald<david100@sympatico.ca <david100@sympatico.ca>>* wrote ---- > > Lisa > > I'm interested in your opinion. One of COGA's main concerns was for the > security and safety of people with cognitive disabilities online. > Currently, 1.3.4 is basically mandating that authors add autofill which > appears to have a phishing vulnerability. > > User autofills name and email, and positions inputs offscreen for all > kinds of other information which is autofilled... At a recent talk I gave > on WCAG 2.1 during questons and answers, two participants independently > raised this concern. I had not mentioned security during the talk. > > Will this SC help or hurt people with Cognitive disabilities? > > Cheers, > David MacDonald > > > > *Can**Adapt* *Solutions Inc.* > > Tel: 613.235.4902 <(613)%20235-4902> > > LinkedIn > <http://www.linkedin.com/in/davidmacdonald100> > > twitter.com/davidmacd > > GitHub <https://github.com/DavidMacDonald> > > http://www.can-adapt.com/ > > > > * Adapting the web to all users* > * Including those with disabilities* > > If you are not the intended recipient, please review our privacy policy > <http://www.davidmacd.com/disclaimer.html> > > On Wed, Feb 28, 2018 at 12:43 PM, Chaals Nevile <chaals@yandex.ru> wrote: > > On Wed, 28 Feb 2018 18:33:42 +0100, Alastair Campbell > <acampbell@nomensa.com> wrote: > > John wrote: > > RE: Horizontal Security Review: I think that the time is *now* (as other > specs come to APA for >their accessibility horizontal review at around this > same time - i.e. CR or sooner). > > > Maybe it has been submitted already, but noted, I’ll ask about that. > > > Not sure where it would have been submitted. You could check with the > Security IG, or look in the security considerations section(s) of relevant > specs. > > I am stunned that the browsers have not addressed this *STILL*. > > > I’m a bit surprised given the mainstream press on it, and it does put this > SC in a difficult position. > > > I'm sad rather than surprised. > > I would be interested to know from Charles or Léonie: > > * Is there active work on the issue of phishing user-data via > autocomplete? [1] > > > Not that I know of. It would be very helpful if you filed the relevant > issues (since you have a head start on us in understanding the problem, so > have more chance to get the framing right first-time. > > * Where would a suitable place for that discussion to happen? > > > https://github.com/w3c/html/issues > > It occurs to me a good solution to prevent the phishing would be to add > visible (foreground) symbols next to fields which can be autocompleted, a > bit like Lastpass adds an icon inside of username/password inputs. > > > Some browsers do something like this. I am pretty sure it is the case, for > example, for Yandex browser. > > The browser could ensure > the symbols are shown even if the inputs were hidden. If those symbols > were user-configurable, that would also help with the personalisation > aspects as well (or at least be compatible). > > > 1] the trigger for this discussion was a comment about this article: > https://www.digitaltrends.com/computing/browser-bug-can- > fill-in-personal-information-in-hidden->fields/ > If you fill in an autocomplete field (e.g. name), the site can have > visually hidden fields with >email, password, credit card number etc. It > can grab that data without the user realising because >it is auto-populated. > > > That rings a bell, actually. I'll have a search through the HTML issues > history... > > cheers > > -- > Using Opera's mail client: http://www.opera.com/mail/ > > > > > > > -- John Foliot Principal Accessibility Strategist Deque Systems Inc. john.foliot@deque.com Advancing the mission of digital accessibility and inclusion
Received on Wednesday, 7 March 2018 15:35:41 UTC