Password Autocomplete vulnerability and a workaround solution
Until recently, it was trivial for developers to disable the “save you password” feature implemented by all major browsers. However, in the last years, browser vendors have begun to actively discourage and prevent applications from disabling this feature. Their case is that the safest practice for users is to use a password manager, instead of having their passwords lying around on digital or physical support, where they can be exposed or stolen. Since it’s a client-side issue, they claim that the option should be given to users (and not to the developers) to disable this feature by configuring the browser itself.
Although this may be partly true, it does not take into account highly sensitive applications, which might be used on a shared computer, and which do not want to rely on the browser being properly configured (with autocomplete disabled). If this is your case, you should keep on reading.
It is now a real challenge to find a workaround that will work across all major browsers. So we came up with the following trick which detects the user’s browser version and acts accordingly:
- For Firefox/Internet Explorer/Opera: it is enough to implement an AJAX-based login form. Upon submitting, credentials are checked asynchronously with the server, and depending on the response, the user is redirected to his homepage, or asked to login again (see the code below for more details).
- For Chrome, 2 possibilities exist (If you know of another, please share!):
- Changing the “type” attribute of the password’s input field to “text”, but applying to it the CSS password’s styling with “style=”text-security:disc;…”, so the password won’t be exposed.
- Setting the “type” attribute of the password’s input field to “text”, and dynamically changing it back to “password” after 10 milliseconds with JavaScript.
Try it yourself: http://online.attacker-site.com/pages/autocomplete/autocomplete2.php
Hi,
Does this workaround still work?
I tried submitting a password in form 6 of your test site, and chrome offered to save my password.
Hey Daniel
Thanks to you, i’ve updated the post (see the “update” section) and added a new worked option. After some tests, it looks the best solution.
See Auto complete – Form 7.
Regards
Israel