Password Autocomplete vulnerability and a workaround solution

Until recently, it was trivial for developers to disable the “save you password” feature implemented by all major browsers. However, in the last years, browser vendors have begun to actively discourage and prevent applications from disabling this feature. Their case is that the safest practice for users is to use a password manager, instead of having their passwords lying around on digital or physical support, where they can be exposed or stolen. Since it’s a client-side issue, they claim that the option should be given to users (and not to the developers) to disable this feature by configuring the browser itself.

Although this may be partly true, it does not take into account highly sensitive applications, which might be used on a shared computer, and which do not want to rely on the browser being properly configured (with autocomplete disabled). If this is your case, you should keep on reading.

It is now a real challenge to find a workaround that will work across all major browsers. So we came up with the following trick which detects the user’s browser version and acts accordingly:

  • For Firefox/Internet Explorer/Opera: it is enough to implement an AJAX-based login form. Upon submitting, credentials are checked asynchronously with the server, and depending on the response, the user is redirected to his homepage, or asked to login again (see the code below for more details).
  • For Chrome, 2 possibilities exist (If you know of another, please share!):
    • Changing the “type” attribute of the password’s input field to “text”, but applying to it the CSS password’s styling with “style=”text-security:disc;…”, so the password won’t be exposed.
    • Setting the “type” attribute of the password’s input field to “text”, and dynamically changing it back to “password” after 10 milliseconds with JavaScript.

 

 

Try it yourself: http://online.attacker-site.com/pages/autocomplete/autocomplete2.php

 

2 replies
  1. Daniel
    Daniel says:

    Hi,
    Does this workaround still work?
    I tried submitting a password in form 6 of your test site, and chrome offered to save my password.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *