Google Chrome Autofill security/privacy issue? (With multiple accounts on a site) - google-chrome

Scenario
On site example.com I have 3 different accounts (e.g. usernameA:passwordA, usernameB:passwordB, usernameC:passwordC). I have let the browsers store them.
So the next time I go to example.com, the browser autofill/prefills the username and password fields of the first account (usernameA:passwordA). There's a dropdown list containing the other accounts (usernameB:passwordB and usernameC:passwordC.)
Question
When the first usernameA:passwordA is autofill/prefilled by browser... is it known to example.com before I choose usernameC:passwordC? (if example.com is tracking form input fields?)
Can example.com know that both usernameA and usernameC are used by same person? (by tracking form input fields?)
Can example.com know that the browser had autofill/prefilled the form fields of currently logged-in user (which is usernameC) with usernameA & passwordA first, before this user manually chose usernameC?
Update
So it appears my question remains without any interest. Meanwhile I have tried googling this issue, and tried Chrome, Firefox and Opera forums, but haven't found anything (most probably because I am not using right terms to look for perhaps?). I'll just leave it here hoping someone in the know eventually stumbles on to it. Thanks.

It appears that Browsers do not sent the <input> fields of login and passwords to the sites until after submission via <form> so I think it's a safe practise.

Related

Prevent autofill of passwords for all browsers

It's well documented that Chrome and Firefox ignore the standard autocomplete="off" attribute in html as they (Google) feel it wasn't being used correctly. They have even come up with workarounds and their own set of values for autofilling fields.
However, We need to prevent users passwords from being auto-filled for a website we're working on, and none of the suggestions put forward by Google appear to work.
The current situation on our website is that login names and passwords are stored by the browser, and so when a user visits the site and they're forced to login, their username and passwords are pre-populated in the relevant fields and they simply click the login button to login.
This has been deemed insecure, and while the infosec team are happy for the username to be pre-populated, they insist the password field is not.
To start with I tried adding the autocomplete="off" attribute to the password fields, but the password was still pre-populated. After some googling I found this link that shows Google decided to ignore this value and come up with a list of their own values for the autocomplete attribute...
Google ignores autocomplete="off"
They state that if we add our own, non-recognised value (such as autocomplete="please-dont-auto-fill-me") if shouldnt auto fill as it wouldnt know what that value is for.
However, I added something more meaningful - autocomplete="non-filled-value" - and it still populated the field. I've since tried a number of other things, such as renaming the password input control (removing the word "password" from the control name) etc and nothing seems to work. every time I load the login page, the password is pre-populated.
The issue I have is that my login form will be loaded on multiple browsers as different users from around the world login, and I need a solution that works for all browsers, not just Chrome.
Does anyone have any experience of this, and has a working solution for preventing fields being pre-populated/auto-filled that works cross browser? Everything I've tried (renaming fields, adding hidden fields, setting obscure autocomplete attribute values) fails to work, and whatever I try, the password is pre-populated.
Obviously, I have no control over the users actual browser settings and cant force them all to change their own personal settings.
New approach
I know how frustrating it is to try all solutions and seeing user and password fields ignore them.
Unforturnately, I haven't found a straightforward way of doing this, but I have a workaround for avoiding user password fields getting autofilled.
The problem
The main problem is that if you set input type="password", browsers automatically try fo autofill the field with saved passwords and users for the webapp, and nothing seems to work in order to stop it.
The solution
My approach is to avoid setting input type="passoword", but making the field look like a password field.
The way I found to achieve this was to build a font composed only by discs, so when you type anything in the input field, it looks like a password field, but you will never be prompted with saved user and password credentials.
I've tested this solution on Chrome, Firefox and Microsoft Edge, please let me know if is something worong with other browsers.
I know the solution is awful, but seems to work.
Link to the font, made by me using Font Forge: https://drive.google.com/file/d/1xWGciDI-cQVxDP_H8s7OfdJt44ukBWQl/view?usp=sharing
Example
Browsers will not fill in the input elements because none of them is type="password"
Place the .ttf file in the same directory where you create the following html file:
<!DOCTYPE html>
<html>
<head>
<title>Font Test</title>
</head>
<body>
<span>Name: </span><input type="text"/>
<span>Password: </span><input class="disk-font" type="text"/>
</body>
<style>
#font-face {
font-family: disks;
src: url(disks.ttf);
}
.disk-font{
font-family: disks;
}
</style>
</html>
Hope this is helpful, feel free to comment any issue.
Actually, i've recently faced this issue, and a workaround which worked form me is just setting the value as an empty string on a method (can be onload, for example if the input is in your main screen). Would be something like:
let login = document.querySelector('#inputLogin');
let password = document.querySelector('#inputPassword');
function someFun () {
login.value = '';
password.value = '';
}
Also I've already tried to put autocomplete="false" but didn't work.
As explained in this MDN article, autocomplete="off" will be ignored for password auto-fill, but autocomplete="new-password" is likely to work, though it carries additional semantic information:
If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use autocomplete="new-password".
This is a hint, which browsers are not required to comply with. However modern browsers have stopped autofilling elements with autocomplete="new-password" for this very reason. For example, Firefox version 67 (see bug 1119063) stopped autofilling in this case; however, Firefox 70 (see bug 1565407) can suggest securely-generated passwords, but does not autofill a saved password. See the autocomplete compat table for more details.

Prevent Chrome on Mobile to open new email when tapping email address

My web app shows a list with items with certain properties. Each list item is a row, which amongst others an email address. When the row is clicked, it expands and shows more information.
All works fine on the desktop, but on mobile, Chrome recognizes the email addresses and on click it opens the email app to write an email to this address. I didn't set this myself, so this seems to be default behavior.
Is there a way to prevent this from happening?
The code to show the email address:
<p class="text-ellipsis"><em>someone#example.com</em></p>
I like to inject "zero-width no-break space" characters to fool helpy mobile browsers
<p class="text-ellipsis"><em>someone#example​.​com</em></p>
I ended up putting the email address in an tag, then styling this as normal text and disabling the default action through javascript. This way the browser thinks an action is already connected so doesn't do anything when clicked.
Since I was loading the data from a database query into a Django template, any option to add characters in the address itself would've not been possible.
Using chrome://settings/handlers then set "Don't allow sites to handle protocols" worked for me.

IE warning when pressed "mailto" button

so the problem is:
I have a mailto html tag and when used via IE8 (our clients use it...), before popping up outlook, it shows a warning "This form is being submitted using e-mail. Submitting this form will reveal your e-mail address to the recipient, and will send the form data without encrypting it for privacy. You may continue or cancel this submission".
The problem is that many of the users do not speak english, so our client wants us to either remove this message (we explained them it is a browser constraint, but they still insist on doing it) or translating it to bulgarian. Any ideas which of these is easier to do ? (I mean possible at all). Is there a way to turn this message off from the browser?
You cannot get rid of the message -- as you already said, it is a browser constraint, and entirely outside of your control.
The only way to get rid of it would be to rewrite your site to send the message via a different method. But that's overkill just to get rid of a warning message.
For the record, this isn't an IE8 issue; you'll get the same message under newer IE versions as well (I've seen it myself recently in IE11).
The real question is if your users are Bulgarian, why are they getting English messages from their browser? They should be running Windows and IE localised to their language. If they do that, then the message will show up in Bulgarian.

Can a browser learn a username/password during account creation?

I received a bug report this morning that browsers were offering to remember the password from our website's sign up form, but not regurgitating it on the login form afterwards.
My initial suggestion was to disable autocomplete on the password field of the signup form so that users wouldn't have the option to store credentials until they logged in for the first time.
However, my project manager asked me to research exactly that, whether or not it's possible to have browsers store credentials after submitting an account creation form and then properly fill in the login form upon later visits to the site?
Besides this convoluted explanation, I don't even know where to begin researching, so I'm turning to the community to see if you guys can point me in the right direction, or at least give me the right words to search for.
Thanks!!
Did you disable autocomplete on one field or complete tag?
Disable browser 'Save Password' functionality
<form id="loginForm" action="login.cgi" method="post" autocomplete="off">

Design a login form so IE will remember login data

My company website, which I develop, requires a login using a form.
Firefox correctly asks for and remembers login details, but test instances of IE6, IE7 do not remember either the username or password, and IE8 will give a dropdown of usernames previously used, but will not remember the password.
What is it about the design of my password form that allows or prevents IE from prompting?
Can I alter the design of my page so IE will remember username/password form data (assuming the user has their preferences set correctly)?
Is there some magic HTML tag, name, or style I should be using?
You might try looking into DOM storage to store username/password persistently on the client side. It'll require JavaScript though and won't work in older versions of IE.
Try adding the site(s) you're trying to access to the "Local Intranet" zone, rather than the "Internet" zone. (assuming this won't cause you security worries)
Tools/Options/Security/Intranet/Sites/Advanced --> add your site(s) here. In my experience, by putting them in the more highly trusted "Intranet" zone my passwords are remembered.
I assume the input box for the password is set as an input type of password?
One thought I had was to explore the naming convention of your form and input fields. Perhaps IE is looking for certain combinations to know that this is a login form that it can offer to save the login credentials for. Also, I have noticed that some web technologies/languages read different elements to get the field names. You might need to set your input fieldnames using both "id" and "name" to get everything to work.
Does your IE remember passwords for other sites than your company website?
Just want to make sure you have not disabled password storage in your IE.