Now Chatting

Hello, can I help you with anything?

If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.

Customers

Case Studies

Affiliates

Philosophy

We offer cyber security penetration testing and consultancy services to a variety of customers.

Impact

If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.

Actions to Take

  • Add the attribute autocomplete="off" to the form tag or to individual "input" fields.
  • Find all instances of inputs that store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords; however, in most cases this is not recommended.s
  • Re-scan the application after addressing the identified issues to ensure all of the fixes have been applied properly.

Required Skills for Successful Exploitations

First and foremost, attacker needs either physical access or user-level code execution rights for successful exploitation. Dumping all data from a browser can be fairly easy, and a number of automated tools exist to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the autocomplete feature to see previously entered values.

Advantages of AutoComplete in HTML Forms

AutoComplete in HTML forms provides the following advantages:

  • Information is stored on the user's computer.
  • User experience is simplified by helping the user fill out forms.
  • User information remains secure. While users can see their private information on a Web site, a Web site cannot see the list of personal information until one of the stored values is selected and the field is filled in.

AutoComplete Security

The AutoComplete box provides several levels of security:

  • Rogue Web sites cannot access the features of an open AutoComplete box.
  • Outsiders cannot collect the saved data store.
  • The data store is encrypted on the user's computer.

The first time a Web site is made aware of the new information is when the user selects one of the suggested entries and the data is entered into the field. AutoComplete can be turned off using one of the following options:

  • Administrators can turn off AutoComplete and restrict its use through the Internet Explorer Administrators Kit (IEAK). When an administrator turns off AutoComplete, there is no way for a Web site or user on the administrator's intranet to turn it back on.
  • Web sites can turn off AutoComplete using the AUTOCOMPLETE attribute. When a Web author disables AutoComplete, the AutoComplete box does not appear for the disabled form or field and the values are not stored.
  • Users can turn off AutoComplete from the AutoComplete dialog box in Internet Explorer. The AutoComplete dialog box is available by selecting Internet Options from the Tools menu, and then selecting the Content tab. When a user turns off AutoComplete, there is no way a site can turn it back on.

The security measures provided for AutoComplete help protect passwords. The AutoComplete feature does not operate in the same fashion with password fields as with regular text fields. When a password is first entered, the user is prompted with the following options:

  • Yes. The password is saved with the user name for that URL.
  • No. The password is not saved with the user name (default).
  • A check box allowing users to select whether they will be prompted to save passwords. If selected, the dialog box is not displayed again unless re-enabled from the AutoComplete Settings dialog.

When the AutoComplete feature is set to save passwords, a password is automatically filled in when a known user name is provided, and the password and user name are stored by URL. When changing passwords, the user is prompted to save the new password.
AutoComplete provides a convenient and safe way for users to quickly complete forms, and for Web sites to enhance user experience on a page. User information saved in the AutoComplete data store is safeguarded, because Web sites cannot automatically fill in forms using the data store, and a login page facade cannot fool the browser into surrendering the information due to domain-specific security.