If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.
Actions to Take
- Add the attribute autocomplete="off" to the form tag or to individual "input" fields.
- Find all instances of inputs that store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords; however, in most cases this is not recommended.s
- Re-scan the application after addressing the identified issues to ensure all of the fixes have been applied properly.
Required Skills for Successful Exploitations
First and foremost, attacker needs either physical access or user-level code execution rights for successful exploitation. Dumping all data from a browser can be fairly easy, and a number of automated tools exist to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the autocomplete feature to see previously entered values.
Using AutoComplete in HTML Forms
HTML forms are a key component to exchanging information between a user and the server. They are common in most visual programming languages, and are used in a variety of implementations on the Web. For example, forms allow users to perform tasks such as searching a Web site, providing feedback, or placing an order.
Microsoft Internet Explorer 5 and later includes an integrated feature called AutoComplete, which helps users quickly enter information into form fields. The AutoComplete innovation in HTML forms safely stores information entered into INPUT_text and INPUT_password fields. When a user submits a form, the name, value, and domain of the form component are encrypted for safekeeping. Storing the information helps users to complete single-line text fields. The next time that user visits a Web page and begins typing in a text field with the same name, the autocomplete attribute prompts an AutoComplete box to appear, providing the user with a list of previously used data.
An AutoComplete box is the primary interface for presenting data to the user. Until an entry in the AutoComplete box is selected, the data remains on the user's computer and is never accessible to a Web site.
Advantages of AutoComplete in HTML Forms
AutoComplete in HTML forms provides the following advantages:
- Information is stored on the user's computer.
- User experience is simplified by helping the user fill out forms.
- User information remains secure. While users can see their private information on a Web site, a Web site cannot see the list of personal information until one of the stored values is selected and the field is filled in.
The AutoComplete box provides several levels of security:
- Rogue Web sites cannot access the features of an open AutoComplete box.
- Outsiders cannot collect the saved data store.
- The data store is encrypted on the user's computer.
The first time a Web site is made aware of the new information is when the user selects one of the suggested entries and the data is entered into the field.
AutoComplete can be turned off using one of the following options:
- Administrators can turn off AutoComplete and restrict its use through the Internet Explorer Administrators Kit (IEAK). When an administrator turns off AutoComplete, there is no way for a Web site or user on the administrator's intranet to turn it back on.
- Web sites can turn off AutoComplete using the AUTOCOMPLETE attribute. When a Web author disables AutoComplete, the AutoComplete box does not appear for the disabled form or field and the values are not stored.
- Users can turn off AutoComplete from the AutoComplete dialog box in Internet Explorer. The AutoComplete dialog box is available by selecting Internet Options from the Tools menu, and then selecting the Content tab. When a user turns off AutoComplete, there is no way a site can turn it back on.
The security measures provided for AutoComplete help protect passwords. The AutoComplete feature does not operate in the same fashion with password fields as with regular text fields. When a password is first entered, the user is prompted with the following options:
- Yes. The password is saved with the user name for that URL.
- No. The password is not saved with the user name (default).
- A check box allowing users to select whether they will be prompted to save passwords. If selected, the dialog box is not displayed again unless re-enabled from the AutoComplete Settings dialog.
When the AutoComplete feature is set to save passwords, a password is automatically filled in when a known user name is provided, and the password and user name are stored by URL. When changing passwords, the user is prompted to save the new password.
AutoComplete provides a convenient and safe way for users to quickly complete forms, and for Web sites to enhance user experience on a page. User information saved in the AutoComplete data store is safeguarded, because Web sites cannot automatically fill in forms using the data store, and a login page facade cannot fool the browser into surrendering the information due to domain-specific security.