‘Autofill Passwords Feature’ Could Expose Your Credentials
We all know that the browsers have added a feature that is commonly called “autofill”. It eases the login process for web applications by automatically filling your saved credentials for that particular web application. This autofill feature is enabled by default on most commonly used browsers, like Firefox, Chrome, Edge, Opera, and Internet Explorer. The bad part is that sometimes it can’t be disabled at all. For example, there’s no way to prevent credentials from auto-filling in browsers based on Chromium, like Chrome and Edge, as there is no option to disable it. All you can do to prevent autofill on those browsers is to not save your credentials at all. The thing that needed to be taken seriously is to prevent an XSS attack. Now, let’s discuss how it all happens? When your browser finds, at any time, an input tag of type “password”, it automatically fills it with a password. An XSS attack can simply add a password field somewhere in the body of the page, wait for the browser to autofill it, and then fetch the value inside the field to send it to the server. The basic purpose is to give more visibility to this attack vector and help people understand the impact of using the autofill feature, which is enabled by default on most browsers. So, if you want to prevent such attacks then either don’t use this feature or don’t save your passwords. Stop using browsers to save your sensitive passwords that involve credit cards or financial transactions, including banking and shopping sites. Also Read: Update Google Chrome web browser to prevent zero-day exploit