The Auto Complete Not Disabled is a medium risk vulnerability that has the potential to leak sensitive information like credit card details, passwords and many more. If the developer omits AutoComplete=off to the input fields might have serious outcomes to the end users. All browsers have a feature by which, the browser can save login credentials for different websites. The browser caches the data and saves locally and in the cloud. If the cloud or the local computer gets compromised to the attacker, he could reuse these credentials to perform attacks on the victim user. This potential vulnerability can be fixed if the developer adds AutoComplete=off to all the input fields.
Example
The following is an example of a vulnerable input field.
<INPUT TYPE="password" AUTOCOMPLETE="on">
Impact
If the browser or the cloud in which the credentials are saved gets compromised. The attacker can also:-
- perform major data breach about user credentials.
- manipulate any information using these credentials.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Turn off the AUTOCOMPLETE attribute in an input element that is used for passwords or contains sensitive information.
<INPUT TYPE="password" autocomplete="off">
