Maybe some feedback from the browser detailing which datapoints were autofilled. I don't know...
I'm always concerned about using autofill because browsers eagerly fill any field they have data for.
Initially only the input field for e-mail is displayed. There's also a, hidden to the user's eyes, _next step_ with the password field that gets populated if the browser auto-fills it.
This is not terribly difficult, browsers need to know what is visible because they have to actually display it. If an element isn't drawn it shouldn't be autofilled.
but is something the browser already does, so it's no extra effort.
This also worked really well with encrypted password storage (if you configured that key was forgotten after e.g. 10 minutes), it did not nag you to enter the password if you visited site where you stored password but did not intended to log in at given time.
There's an add-on for Firefox[1], but doesn't work as well as it did in Opera, and also it doesn't solve the password nagging issue, but I suppose it could help address the vulnerability mentioned here.
I really don't understand why all browsers insist to handle password this way.
[1] https://addons.mozilla.org/en-US/firefox/addon/secure-login/
Also, while Opera's wand button filled in both login credentials and common form elements, Chrome's autocomplete is limited to common form elements.
Your second idea about an auto-fill warning would be better. Maybe a simple footer warning or something.
Or massive highlighting around each field
FYI this doesn't work for credit card info, at least not in Chrome. That information has to be auto-filled separately.
But, if the end user doesn't notice or care about the visual cue, you can exploit it. Start typing in a name that has a credit card associated with it in Chrome's autofill: https://jsfiddle.net/hvs4ox2q/4/
If it was you could write a script to automatically post all auto fill data on page load.
https://bugs.chromium.org/p/chromium/issues/detail?id=352527
Currently, when I trigger autofill in Chrome, it tells me the full suite of information it can input for a certain profile (name, address, company, etc), but it doesn't tell me which bits of information are actually being used. Something as simple as placing checkmarks in this popup next to the information that is actually being used could communicate this better.
Safari does this already
Suppose a form uses a non-standard name for the field (say a localized name), and a user enters it at a legitimate site. Any attacker simply has to find these non-standard names for auto-complete to fill this in.
I feel like I've seen a credit card autofill before outside of normal controls.
You might catch some careless people with it though: https://jsfiddle.net/hvs4ox2q/4/
http://www.phpied.com/oversharing-with-the-browsers-autofill...
This is one of the many examples where a privacy-first approach pays off not just in terms of privacy but also in terms of security. In Germany we use the term "Datensparsamkeit" for this principle. Not sure if there is a well-established english term in the international community.
So why do other browers fill in these fields automatically? Why don't they wait until asked by the user? Because it is more "convenient" for the user? Moreover who benefits from that? Not the users, not the browser vendors, but all those websites with overly long registration forms. These confront their visitors with lots of irrelevant fields (birthday, gender, etc.) just for the sake of collecting data. Nobody would fill all that in voluntarily, but I guess more people will do so (perhaps accidentally) if their browser fills that in by default.
But Safari does it in the most elegant way. They show a popup with all the information that will be autofilled and ask you to confirm before filling out the fields which also protects against AJAXified submissions.
I saw this example doing the rounds on twitter. Hopefully the chrome devs notice the noise and move up the priority on fixing / addressing it.
Browsers auto-guessing private data into arbitrary fields on never-before-used webpages?
IMO that's "Just because you can doesn't mean you should" territory.
Sensitive info belongs to a password manager which limits it to the domains the data belong.
Credit card numbers are a pain, though. I could put them to a password manager, and manually select to fill only that particular field when I need to. In reality I rarely buy things where PayPal or Amazon payment options are not available; I suppose Stripe offers a similar service.
So all that stands between you and being in this exact situation (or worse, since passwords) is your password manager's url comparison?
I refuse to use LastPass - the interface is horrible (probably because you're expected to use the browser extension). But I don't want my password manager anywhere near my browser. I'd really rather have to take an affirmative action in order to release each individual piece of information so I know what I'm disclosing and to who.
your password manager's url comparison?
A password manager running outside my browser and only communicating the bare minimum required by a page, after checking its certificate, sound like a good idea. LastPass is almost there; the only reservation is that it's not run on a machine controlled by you. Other similar solutions overcome this limitation.
A browser extension is actually a great approach, too: it can and should be open-source and signed, thus reasonably tamper-proof. It should, again, do the bare minimum regarding the communication with the actual password store. Its usefulness is mostly in discovering the mapping between form controls and info to be stored.
Chrome (and I assume others) has a secure credit card and password auto-fill, separate from regular form auto-fill.
I think this means browsers will never fix this issue. I won't be using auto-fill on untrusted webaites.
As other comments have noted, it isn't trivial to fix completely, so I believe most browsers just haven't bothered at all, but have implemented some extra protection for credit cards (and of course, CVV numbers are never stored in the first place).
I do believe it would still fail exposing your basic info, such as in this example, however.
However, a lot of users might not have that conscience and might be giving out information which they didn't want to. It would be great to shame websites that were employing these shady techniques, but the solution must come from Chrome. Chrome devs: by default only auto fill one field and on the drop down have as the last option to do what you do now, so that you're sure that the user has consciously chosen to auto fill all fields * have a little disclaimer saying this possibility *. That way you get the best of both worlds with an extra key down
They should probably have private: true in there though, to stop it getting published by mistake, since it isn't a component anyone could usefully import.
Chrome was shown to be vulnerable like 7 years ago but nothing changed.
Closed source stuff like MSIE or Safari? No idea, ask a Windows os OS X user.
I think I remembered of that because the direction of though that autocomplete should always be enabled appears as wrong to me. And this situation reminded me of this direction of though in the past case.
However, I always found it odd how something so prone to this kind of attack could be deployed for all non-tech savvy browser users...
I was trying to create a honeypot for a front-facing web form, but because of the name I gave the honeypot field, some people's autofill information was filling out that field without them knowing.
This is a nice example of a feature that is trivially accessible and yet unobtrusive.
(Alternatively, you can press the down-arrow on the empty field, which will open the auto-completion as well.)
IMO, much better way, since it works well in situation where your passwords are encrypted and browser is configured to forget master key after a while.
Firefox in that scenario will bug you about master password each time you go to page where such password is stored.