Re: Security of Autocomplete from Alastair Campbell on 2018-03-07 (w3c-wai-gl@w3.org from January to March 2018)

From: Alastair Campbell <acampbell@nomensa.com>
Date: Wed, 7 Mar 2018 17:00:03 +0000
To: John Foliot <john.foliot@deque.com>, lisa.seeman <lisa.seeman@zoho.com>
CC: David MacDonald <david100@sympatico.ca>, WCAG <w3c-wai-gl@w3.org>
Message-ID: <3287F12F-0660-4D1D-BCBD-F73920055920@nomensa.com>
(I’m not sure Charles needs to read our internal discussion?)

The article got a bit mangled in the quoting, but it’s here:
https://www.digitaltrends.com/computing/browser-bug-can-fill-in-personal-information-in-hidden-fields/


The principle is that a site can hide fields such as (address & credit card) so that if you select ‘fill form’ on a name field, it gets all the other information hidden off-screen without you realising.

NB: This issue goes away if a non-autocomplete attribute is used, but without 2 user agent & site implementations to test this month that isn’t going to help for 2.1.

Personally, I think it’s an issue the browsers (and password managers) need to fix. It shouldn’t be too hard to check if an input is visible.

I’ve opened an issue on this as Charles suggested:
https://github.com/w3c/html/issues/1285


Cheers,

-Alastair


From: John Foliot

Hi Lisa,

Please see my email from Feb. 28th<https://lists.w3.org/Archives/Public/w3c-wai-gl/2018JanMar/1371.html>.

A current example of the security concern can be found here: https://anttiviljami.github.io/browser-autofill-phishing/


JF

On Wed, Mar 7, 2018 at 10:20 AM, lisa.seeman <lisa.seeman@zoho.com<mailto:lisa.seeman@zoho.com>> wrote:
Hi David

From what we saw last time we looked into this issue the concerns about autofil and security were debunked about five years ago. DO you have an updated source for this concern that is reputable and current? (the link below is a 404)
All the best

Lisa Seeman

LinkedIn<http://il.linkedin.com/in/lisaseeman/>, Twitter<https://twitter.com/SeemanLisa>



---- On Wed, 28 Feb 2018 21:50:28 +0200 David MacDonald<david100@sympatico.ca<mailto:david100@sympatico.ca>> wrote ----
Lisa

I'm interested in your opinion. One of COGA's main concerns was for the security and safety of people with cognitive disabilities online. Currently, 1.3.4 is basically mandating that authors add autofill which appears to have a phishing vulnerability.

User autofills name and email, and positions inputs offscreen for all kinds of other information which is autofilled... At a recent talk I gave on WCAG 2.1 during questons and answers, two participants independently raised this concern. I had not mentioned security during the talk.

Will this SC help or hurt people with Cognitive disabilities?


Cheers,
David MacDonald



CanAdapt Solutions Inc.

Tel:  613.235.4902<tel:(613)%20235-4902>

LinkedIn
<http://www.linkedin.com/in/davidmacdonald100>

twitter.com/davidmacd<http://twitter.com/davidmacd>

GitHub<https://github.com/DavidMacDonald>

http://www.can-adapt.com/




  Adapting the web to all users
            Including those with disabilities

If you are not the intended recipient, please review our privacy policy<http://www.davidmacd.com/disclaimer.html>

On Wed, Feb 28, 2018 at 12:43 PM, Chaals Nevile <chaals@yandex.ru<mailto:chaals@yandex.ru>> wrote:
On Wed, 28 Feb 2018 18:33:42 +0100, Alastair Campbell
<acampbell@nomensa.com<mailto:acampbell@nomensa.com>> wrote:
John wrote:
RE: Horizontal Security Review: I think that the time is *now* (as other specs come to APA for >their accessibility horizontal review at around this same time - i.e. CR or sooner).

Maybe it has been submitted already, but noted, I’ll ask about that.

Not sure where it would have been submitted. You could check with the Security IG, or look in the security considerations section(s) of relevant specs.
I am stunned that the browsers have not addressed this *STILL*.

I’m a bit surprised given the mainstream press on it, and it does put this SC in a difficult position.

I'm sad rather than surprised.
I would be interested to know from Charles or Léonie:

* Is there active work on the issue of phishing user-data via autocomplete? [1]

Not that I know of. It would be very helpful if you filed the relevant issues (since you have a head start on us in understanding the problem, so have more chance to get the framing right first-time.
* Where would a suitable place for that discussion to happen?

https://github.com/w3c/html/issues
It occurs to me a good solution to prevent the phishing would be to add visible (foreground) symbols next to fields which can be autocompleted, a bit like Lastpass adds an icon inside of username/password inputs.

Some browsers do something like this. I am pretty sure it is the case, for example, for Yandex browser.
The browser could ensure
the symbols are shown even if the inputs were hidden.  If those symbols were user-configurable, that would also help with the personalisation aspects as well (or at least be compatible).

1] the trigger for this discussion was a comment about this article:
https://www.digitaltrends.com/computing/browser-bug-can-fill-in-personal-information-in-hidden->fields/
If you fill in an autocomplete field (e.g. name), the site can have visually hidden fields with >email, password, credit card number etc. It can grab that data without the user realising because >it is auto-populated.

That rings a bell, actually. I'll have a search through the HTML issues history...

cheers

--
Using Opera's mail client: http://www.opera.com/mail/









--
John Foliot
Principal Accessibility Strategist
Deque Systems Inc.
john.foliot@deque.com<mailto:john.foliot@deque.com>

Advancing the mission of digital accessibility and inclusion
Received on Wednesday, 7 March 2018 17:00:36 UTC