Auto complete not disabled

By
Jijith Rajan
Published on
24 Jun 2018
1 min read
Vulnerability

The Auto Complete Not Disabled is a medium risk vulnerability that has the potential to leak sensitive information like credit card details, passwords and many more. If the developer omits AutoComplete=off to the input fields might have serious outcomes to the end users. All browsers have a feature by which, the browser can save login credentials for different websites. The browser caches the data and saves locally and in the cloud. If the cloud or the local computer gets compromised to the attacker, he could reuse these credentials to perform attacks on the victim user. This potential vulnerability can be fixed if the developer adds AutoComplete=off to all the input fields.

Example

The following is an example of a vulnerable input field.

        <INPUT TYPE="password" AUTOCOMPLETE="on">

    

Impact

If the browser or the cloud in which the credentials are saved gets compromised. The attacker can also:-

  • perform major data breach about user credentials.
  • manipulate any information using these credentials.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Turn off the AUTOCOMPLETE attribute in an input element that is used for passwords or contains sensitive information.
        <INPUT TYPE="password" autocomplete="off">

    
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment