Skip to content

Auto-complete can put your customers under threat

You must know the auto-complete feature in your web browser and also web applications like Google search engine. I am going to speak where to use them and where not to use them. You might like below 2 points;

 

  1. Auto-complete will help in improved UX
  2. Auto-complete can put your customers under threat if no good care is taken in avoiding it in some places

 

I will concentrate on the 2nd point which you are interested in; let us consider a web application which doesn’t have auto-complete feature but, the web browser saves history and there is auto-complete feature with it. Now, most of them use auto complete with on in web browsers. Below is a mind-blowing example on how not disabling auto complete in the code of web application would lead to unauthorized access by a non-owner of some account,

 

There is a Secret Answer text field and it is in plain text (First of all this itself is a bad one because secret answer acts like a authentication too and it got to be masked; you are masking password because others should not see however; keeping secret answer in plain text – Does it make sense?) and there are users who would use shared computer. Let us say 10 customers sign up and they have chosen different secret answers – These are non-computer savvy’s. Now, someone like me (An example) who is evil hacker starts using the website where the 10 customers registered. I go to sign up page and double click on “Secret Answer” text field and guess what – I have 10 secret answers of one or the other end-user and now I should know what e-mail address they were using. That’s simple; double click on “e-mail address” text field and I get 10 e-mail addresses” – Wow! Let me have a mug of beer now and dance.

 

Above, you saw how not disabling auto-complete in the code of web application could impact on your customers and you too.

 

Where auto-complete should be handled as off?

  1. E-mail address (Use Remember Me to help your users of not making them enter e-mail address always)
  2. Secret Answer (Consider masking it too or else the one who is shoulder surfing might exploit)
  3. Credit Card Numbers
  4. Bank Account Numbers

 

Any confidential information should not be visible under auto-complete and should not be allowed to save in history of a web-browser. Question yourself; what is the impact of not having “auto-complete” and also what is the impact of having “auto complete” – This helps in adding usability as well as security to your web application.

 

You could maintain a checklist of what should not go as auto-complete in your web application. You might want to communicate about this even with the test team working in different projects in your organization to benefit your customers and your organization too. I hope you had a good reading.

SanthoshTuppad

I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)

Share/Bookmark

6 Comments

  1. Mohit Verma wrote:

    Hi Santhosh,

    Thanks for sharing your ideas regularly with us. Your posts always help something or other to learn.

    For the above post, I have one concern – In the above example you have considered non-computer savvy users. How can you expect them to know the risks associated with auto-complete feature? For them it is a utility to save their time and to remember the things.

    But, if we can forget that it can happen only with non-computer savvy users then whatever you have said is true and really very valuable because I think anybody can do the mistakes. So, a user must know where auto-complete feature can be used without risk.

    Monday, September 26, 2011 at 12:40 pm | Permalink
  2. Mohit, This is not with respect to computer savvy or non-computer savvy. This might happen to anyone. I am not expecting them to know the risks here. Secret Answer got to be Secret and if it is stored even in the auto-complete of the web browser, the end-user will feel why your secrecy is not maintained.

    >> For them it is a utility to save their time and to remember the things.

    Auto-complete should not be a utility for secret answers my dear friend and I want to make clear that I am not speaking about auto-complete of a web browser but, auto-complete not set to off in the code for the text fields which contain confidential information. I hope you understand the context. If you have set auto-complete off in your code then you are protecting them from the bad. < < >> But, if we can forget that it can happen only with non-computer savvy users then whatever you have said is true and really very valuable because I think anybody can do the mistakes. So, a user must know where auto-complete feature can be used without risk.

    It is not anybody doing mistakes, I am speaking about building a product which could not expose your customers confidential information to the bad folks who could exploit it. And why should a user know about the auto-complete feature here? I am speaking with respect to auto-complete should be disabled for text fields which could be a key to unauthorized access to someones account. << I would like to add some point here – Let us say I am signing up for some website and I see that secret answer auto-complete is not off, now as I know about this bug I would clear the history. So, being aware I can do this but, that is not how it is supposed to be done which is a workaround and most of them would not be knowing about it. If you consider yourself as a computer savvy then I would say that there is a possibility that you might have or you would (If this blog post was not read by you) be prone to it one or the other day. It doesn’t mean that anyone who knows working with computer would know this security vulnerability or risk associated with it, so from my experience I would say most of them would be vulnerable to this security vulnerability.

    Wednesday, September 28, 2011 at 1:43 am | Permalink
  3. Ananda wrote:

    Santhosh,

    A very good article. I like reading your blog. It provides very useful security testing tips for us.

    Thanks,
    Ananda

    Monday, October 10, 2011 at 1:31 am | Permalink
  4. Thanks :) I am glad you liked the article. Please do not miss to read article on Captcha Part II in http://testingcircus.com/ e-magazine which will be published soon.

    Tuesday, October 11, 2011 at 1:02 am | Permalink
  5. Thanks Santhosh, it’s really an interesting thing for a bad guy. It’s not only about shoulder surfing, the different versions of the recent browsers are vulnerable to this attack. Please read this one.

    http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html

    Browsers remembering form data is really exciting feature but it can lead to steal your very sensitive data. I do fear always when I access my bank accounts from office. I used to clear my secret question answers (pressing DELETE key) even when I am in my personal laptop. I guess in some cases, the USERNAME field should also be considered.

    Thanks again Santhosh for pointing it out.

    Sunday, October 16, 2011 at 9:00 pm | Permalink
  6. Monirul, Thanks for your comment and sharing the URL. You are right about “Username” field too considering the context. Yes, clearing the secret answers on your laptop is a good one and even I care about it.

    Monday, October 17, 2011 at 12:34 am | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*