Autocomplete Enabled
- CWE 16
- CAPEC 163
- WASC 15
- OWASP 2017-A6
Autocomplete Enabled is a vulnerability that occurs when web forms or input fields allow browsers to automatically store and populate sensitive information such as passwords, credit card numbers, or personal data. While autocomplete improves usability, it can expose sensitive data if a device is shared, stolen, or compromised by malware. Attackers can exploit autocomplete to capture credentials or other confidential information, particularly in public or multi-user environments.
Common patterns leading to autocomplete vulnerabilities:
- Forms containing
<input type="password">or<input type="text">without theautocomplete="off"attribute. - Browser-stored credentials or sensitive data accessible to other users or scripts on the same device.
- Third-party scripts or browser extensions reading autocomplete-enabled fields.
- Using autocomplete on sensitive transaction or authentication forms.
Impacts:
- Credential Theft: Attackers with access to a user’s device or browser profile can retrieve stored passwords or session tokens.
- Sensitive Data Exposure: Credit card numbers, personal identifiers, or authentication tokens may be leaked.
- Facilitates Social Engineering: Exposed autocomplete data can be leveraged in phishing or account takeover attacks.
- Increased Risk in Shared Environments: Public or shared computers can reveal credentials to subsequent users.
Detection indicators:
- Forms for login, registration, or payment using autocomplete without explicit disabling.
- Browser pre-filling sensitive fields in an uncontrolled manner.
- Security scanners detecting forms that store or suggest sensitive data automatically.
Remediation
Mitigation strategies involve controlling browser behavior and securing form fields:
Disable Autocomplete for Sensitive Fields
Useautocomplete="off"for password, payment, or sensitive personal data input fields.Use Secure Input Types
For credentials, passwords, or payment data, ensure appropriate HTML input types (password,email,tel, etc.) and secure attributes are used.Implement Secure Storage Practices
Avoid client-side storage of sensitive information whenever possible.Educate Users
Advise users to avoid saving credentials or sensitive data in shared or public devices.Use HTTPS/TLS
Ensure all form submissions occur over encrypted channels to prevent interception.Monitor and Audit Forms
Periodically review forms for autocomplete settings and sensitive field usage.Security Testing
Include checks for browser autocomplete behavior in penetration tests and automated scans.
References
Search Vulnerability
You may also see
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- File Upload Input Detected
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled
- GraphQL Endpoint Detected