Browser Autocomplete Feature May Reveal Personal Data

The autocomplete feature can be pretty handy at times. It helps you log in on your favorite website faster or load a website in your browser without having to enter the full web address. Researchers from Minded Security Labs have released a proof of concept that demonstrates how a third party website can get access to a browser’s autocomplete entries (which means stealing).

The proof of concept works in Firefox, but the security researchers state that other browsers are also affected by it. They explicitly mention Microsoft’s Internet Explorer and note that the Google Chrome may be vulnerable as well. They do however mention that an attack may not be as easy to implement for that browser due to the fact that Chrome does not “send keydown/keyup events to JS when the autocomplete drop down menu is focused”.

Here is how the issue can be exploited:

It is possible to get key down / up events via JavaScript when a drop down autocomplete menu is shown. This means that it is possible to lure a user to play a game and steal arbitrary values from browsers autocomplete feature.

The proof of concept page demonstrates how third party websites can steal autocomplete information from Firefox. The page can check if autocomplete information are available for sites such as Twitter, Facebook, Gmail, Microsoft or Yahoo logins as well as three different types of inputs.

According to the security researcher, browser vendors should implement a feature into their browsers that ties the autocomplete input to a particular website. The only way to protect the data from being stolen is to disable the browser’s autocomplete feature for forms and searches.

Firefox users can do that in the preferences under the Privacy tab.