8 comments on “Automatic autofill of your username and password? Not a good idea”

  1. Jeffrey Goldberg

    Shameless plug

    1Password has never allowed automatic autofill, exactly because of attacks like this (and even worse).


    Chief Defender Against the Dark Arts at AgileBits (the makers of 1Password)

  2. Nick Ballard

    I use Dashlane and, after storing my test information, I tried auto-filling and non-auto-filling my information and neither time did my data get compromised – or, at least, the fields showed nothing on the test page.

    I have always been of the opinion, possibly misguided, that the credentials would/should only be presented to a specific URL and not the general domain – i.e. there has to be an exact page name match for the credentials to be provided – if the password manager is any good?

  3. Mike

    I always use a password manager – I never allow a browser to store passwords, or allow a site to remain logged in (unless I forget…).

  4. Alfonso

    Happy New Year!!!! Mozilla Firefox 57. is doing it? Any comments? Thank you

    1. coyote · in reply to Alfonso

      FF57 is vulnerable yes.

  5. coyote

    FWIW NoScript doesn't currently pick up on this (that or they use a server that is used elsewhere and I have thus whitelisted?). Perhaps this should be reported to them but I have too much going on to deal with that atm. Nevertheless even if they do fix it many people don't like NoScript.

    Because of said too much going on do they describe how it works? Let's use example.com and example.net for example. But let's pretend they're on different servers or isolated processes. Is it possible for a script on example.com to attempt to log in to example.net and thus sniff it ? Of course the impossible can become possible but that's for the future.

  6. coyote

    Right. I just read the summary. I do have a lot going on as I noted.

    Something else. There is a semantics thing going on here. At least on the surface. Most people are going to think of it auto-fills only when you are attempting to log in. Also they will think that you have to click 'log in' (or whatever) to do this and thus nothing is sent. But of course it could be working at a different level and/or in addition. It's masquerading it in the end. This is all the more reason to use 2SA/2FA when possible – whether you're using this feature or not. Multiple layers.

    1. coyote · in reply to coyote

      To elaborate on my semantics point.

      Are you saving the password so you can then click 'log in' without having to type the login/password? Or are you saving it so that you don't have to bother logging in? And if you don't have to log in every time is it because of that or session cookies (I might be mixing that up)?

      And therein lies the problem: one might expect you have to click 'log in' but not necessarily.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.