Get a quote

Vulnerability Fixation
How To Disable Autocomplete

Book a Free Consultation


If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information.

This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.

AutoComplete allows browsers to store previously entered form data to help users fill forms faster. However, if sensitive fields such as passwords, personal details, payment information, or confidential data are stored, attackers with access to the browser can retrieve this information.

This is especially dangerous on shared or public systems like offices, airports, and cyber cafes.

While AutoComplete is useful for convenience, disabling it on sensitive forms is crucial for preventing data exposure on shared and insecure systems.

Impact

  • Stored input values such as usernames, phone numbers, or credit card details can be viewed by attackers.
  • Information theft may lead to identity fraud or unauthorized access to user accounts.
  • Cached sensitive form data can expose confidential business information.

Actions to Take

  • Disable AutoComplete for sensitive forms:
    <form autocomplete="off"> ... </form>
  • Disable AutoComplete for sensitive input fields (e.g., passwords, payment fields):
    <input type="text" autocomplete="off">
  • Audit and update all forms that collect personal or financial data.
  • Re-scan the application after applying changes to ensure compliance.

Required Skills for Exploitation

  • Physical access to the victim’s browser or system.
  • Local account breach allowing attacker to run browser stored-data extraction tools.
  • Ability to trigger AutoComplete suggestions to reveal stored entries.

Advantages of AutoComplete

  • Faster form filling improves user experience.
  • Information remains stored locally on the user’s system.
  • Websites cannot read stored data until users manually select values.

AutoComplete Security Controls

  • Encrypted storage of cached form data on the user's computer.
  • Websites cannot access AutoComplete suggestions directly.
  • Users can disable AutoComplete from the browser settings manually.
  • Administrators can enforce disabling AutoComplete using browser configuration policies.
  • Developers can disable AutoComplete for specific forms using the HTML “autocomplete” attribute.

Password Handling

  • Browsers prompt users before saving a new password.
  • Password AutoComplete only works when a matching username is entered.
  • Passwords are saved per-domain to avoid cross-site data leaks.

Also Read :

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More