Why you should not use autocomplete

October 23rd, 2013 – 60 Comments

Today at Pubcon Matt Cutts of Google once again promoted the use of autocomplete-type, a new property for web forms that works in Chrome (and possibly other browsers, I haven’t checked). Google first introduced it back in January 2012 in this post. I wanted to do this quick post to tell you to turn off autocomplete in your browser.

This test URL will show you way quicker than I can explain it in words. Please try it and come back. If you’re using autocomplete to, for instance, sign up for an email newsletter, you might have just provided that website with your full address and/or (even worse) your credit card details too. It’s as simple as adding the fields to the form and hiding them from the user…

So: turn off autocomplete until your browser has better controls on what gets autofilled.

How to turn off autocomplete in Chrome

In Chrome, go to your Settings, click Advanced, then make sure the top box here (that is checked in the screenshot) is NOT checked:

disable-autocomplete

Post Updates

  • It turns out Matt was talking specifically about requestAutocomplete, which is altogether different. This blogpost explains it best, go read it, as it’s rather cool. It effectively deals with the problem shown above by showing you what will be autocompleted! However, as you can see in the test above, you’re still vulnerable right now if you use “normal” autocomplete.
  • Safari is just as vulnerable to what I showed above as Chrome is. In fact, autocomplete is on by default in it:
    safari autofill
  • Filling credit card info requires you to focus on a credit card specific field that is not the credit card name field. This makes this feature inherently more safe, but it still means you could retrieve your personal address and much more when all you thought you were giving out is your email address or name.

60 Responses to Why you should not use autocomplete

  1. Ryan Cote
    By Ryan Cote on 22 November, 2013

    I am also thinking if someone has basic info about you, such as your email address, they can get their hands on your computer and start auto-filling out all kinds of forms without your knowledge. Fortunately, it’s a quick fix.

  2. Mitchell
    By Mitchell on 17 November, 2013

    Hello Joost:
    Thank you very much for explaining autocomplete.

    Web forms have not changed much since the 90’s. Autocomplete, in its current state, is not a welcome change.

    Best wishes, Mitchell

  3. Arbaz K
    By Arbaz K on 12 November, 2013

    That is really an informative article. Thanks for sharing this stuff with us. I just deactivated the autofill option to stay on the safe side.

  4. JAAS
    By JAAS on 12 November, 2013

    I just deactivated after reading this. Thanks for the info

  5. Muhammad Abdullah
    By Muhammad Abdullah on 11 November, 2013

    Absolutely lovely!! Good Work
    Thanks for the sharing information alike. Its really so productive as well as this website. I am so Happy!!!

    Thanks,
    Muhammad Abdullah

  6. Steve Schellert
    By Steve Schellert on 9 November, 2013

    This is really good. I did not fully understand the pitfalls of not shutting off autocomplete.

  7. channarith
    By channarith on 9 November, 2013

    Thanks for sharing. I just done it .

  8. Portões Automáticos
    By Portões Automáticos on 8 November, 2013

    Thanks for sharing this information!

  9. TJ Draper
    By TJ Draper on 7 November, 2013

    Safari 7 (at least with Mavericks) is much smarter about this. It actually showed me a popup of all the info it was about to fill in and wanted to know if I was really really sure I wanted to give away all that information. Given that, I’m leaving auto-complete on.

  10. Jaleel Hamid
    By Jaleel Hamid on 6 November, 2013

    Wow… scary stuff.
    Thanks for the heads up Yoast! :-)

  11. Sohail waris
    By Sohail waris on 5 November, 2013

    I am 100% agree with you but before reading this article my opinion was really negative.

  12. Dave Bezaire
    By Dave Bezaire on 4 November, 2013

    I’m with you! I’ve been an advocate of RoboForm (and the others now available like LastPass and KeePass) for many years. In a world of so many spies, I want to control at least some of my info!

    Dave

  13. Bartosz
    By Bartosz on 3 November, 2013

    I think that autocomplete will always be in use.. because it makes our life easier and reduce number of clickick ; )

  14. Durga Swaroop
    By Durga Swaroop on 3 November, 2013

    I never would have thought that such things happen. I use auto fill tool almost everyday. But, yea, i’ve deactivated it.Thanks for the info. :)

  15. Bruce
    By Bruce on 2 November, 2013

    Thank you for sharing this Yoast
    I like it!

  16. Faust
    By Faust on 1 November, 2013

    does incognito mode in chrome still works for autocomplete?

  17. Gabriel Gasparolo
    By Gabriel Gasparolo on 1 November, 2013

    I just checked on Safari (OS X Mavericks) and it alerts me what information is going to be sent.

  18. reprezenta
    By reprezenta on 1 November, 2013

    I guess taking that extra minute to fill a form by yourself seems legit now!

  19. Mike
    By Mike on 1 November, 2013

    This apparently doesn’t happen on Safari 7 with Mavericks. I hit tab to invoke the auto complete prompt, and none of the other fields are filled except for the one.

  20. Ramiro
    By Ramiro on 1 November, 2013

    The term “autocomplete” is misleading. The values that go into autocomplete fields come from the server and not your browser. It’s what is used for Google search etc.

    What you/Matt Cutts are talking about is AutoFill, which is indeed something you shouldn’t use.

  21. Toan
    By Toan on 1 November, 2013

    Thank you for posting this Yoast.
    I like it

  22. Hieu
    By Hieu on 31 October, 2013

    Good advance . Thanks for share

  23. Sean Markey
    By Sean Markey on 31 October, 2013

    Thank you for posting this Yoast. I had no idea autofill could be so open to abuse. I’ll be making sure to tell everyone I know about it and sending them on to this post.
    ,Sean

  24. Raghav
    By Raghav on 31 October, 2013

    Okay, till this time i was thinking chrome was only filling up few details that were asked, but if somehow some spammy or malicious sites get our personal or financial data.. it will be completely our fault..

    After knowing this I’m done with auto-complete..

  25. Arup Ghosh
    By Arup Ghosh on 30 October, 2013

    Autocomplete is a useful but dangerous feature .

  26. Nghe nh?c ch?t l??ng cao
    By Nghe nh?c ch?t l??ng cao on 30 October, 2013

    Good advance, I get some experiences when see this post. Thank you

  27. Sneha Malik
    By Sneha Malik on 29 October, 2013

    It is also happens with me on Mozilla Firefox :(

    • Unlockboot
      By Unlockboot on 22 November, 2013

      Yes, I got the same problem in Firefox.

  28. Nimitz
    By Nimitz on 29 October, 2013

    Good thing I am not fun of using autocomplete button.

    I always turn it off when it shows up!

  29. satnam
    By satnam on 29 October, 2013

    Sorry guys, this question is not related to this post. Unfortunately, comments are closed on the other post. And please bear with someone who is a beginner among you experts.

    Post: http://yoast.com/change-wordpress-permalink-structure/

    I use ProPhoto, and I see two .htaccess files. One is in www directory and other is in public_html. Where do I add the redirect code, or does it need to be in both places?

    Thanks.

  30. Bub
    By Bub on 26 October, 2013

    With Chrome’s developer tools, you can reveal the hidden form fields on the sample form and see how they are being populated, without even submitting the form to Yoast.

    I tried it out, and although my credit card information is stored in Chrome, I found that the form would not autopopulate the credit card fields, unless I actually used autocomplete on the cc-number, cc-exp-month, or cc-exp fields. And when you do that, Chrome pops up its dropdown with the credit card logo, so you know that it is happening.

    In short, I don’t think that you have demonstrated that this technique can be used to steal credit card information without your knowledge. On the other hand, it is able to grab other information such as full name, physical address, and email address. Although the sample form didn’t include telephone, I was able to twiddle it to see that it could grab that as well.

  31. SeoZebra
    By SeoZebra on 26 October, 2013

    I think, it has connection with the Snowden story…

  32. Ranger
    By Ranger on 26 October, 2013

    Yak, that is really scary.

  33. nikhil
    By nikhil on 25 October, 2013

    The same issue perfectly working in firefox latest version browser as well, while pentesting some applications.

  34. Raw Hasan
    By Raw Hasan on 25 October, 2013

    Thanks for alerting. Removed the feature from chrome right away.

  35. ninjustin
    By ninjustin on 25 October, 2013

    This feature has been known to not have any security for years. Stuff is just kept in plain text files. Find a 3rd party alternative like Last Pass or something that encrypts your information if you want auto-complete. I’d rather pay attention to what info I’m giving someone anyway.

  36. Matt Sells
    By Matt Sells on 25 October, 2013

    Agree 100%!!
    PS: I like to see micro posts.

  37. Roger Lapin
    By Roger Lapin on 25 October, 2013

    I use Firefox and it only entered my name?
    Is that ok, I didn’t even know what auto complete was, I was told by an IT security person to use Firefox over any other browser..

  38. finferflu
    By finferflu on 24 October, 2013

    This also happens in Safari unfortunately :(

  39. Andrew
    By Andrew on 24 October, 2013

    Thanks for the info. Will share your website link on our Facebook page for others to know.

  40. Hayden Chudy
    By Hayden Chudy on 24 October, 2013

    Thoughts on just curating your auto-complete? I just went into settings and you can manage every entry and delete them. I never save credit cards and never will, with properly curated addresses all they can get are your phone number or email, which doesn’t bother me since I can block spam.

    Unless I’m missing something major.

  41. Karl
    By Karl on 24 October, 2013

    Or manage your auto-complete entries and make sure anything you don’t want revealed (Like a credit card) is not saved.
    ———————
    Click the Chrome menu Chrome menu on the browser toolbar.
    Select Settings.
    Click Show advanced settings and find the “Passwords and forms” section.
    Click Manage Autofill settings.
    ———————
    Or, simply bookmark this URL for easy access:
    chrome://settings/autofill

  42. Adeel Sami
    By Adeel Sami on 24 October, 2013

    Thank you, Joost! I always had bad feeling about auto-complete and never had it turned on for me.

  43. Scott
    By Scott on 24 October, 2013

    Thanks for the great tip Yoast.

  44. Sav
    By Sav on 24 October, 2013

    Just what I’ve entered. Got autocomplete on.

  45. Sheifu
    By Sheifu on 24 October, 2013
  46. Martijn
    By Martijn on 24 October, 2013

    @Brian, not everything’s a tradeoff. It’s a matter of being consciouss about your privacy, and the motivation of big, commercial companies to gather as much information about you and me as possible. To deal with this growing danger, luckily there are options to choose from.. And these options are a lot more than just choosing between autocomplete or manually typing in our info.

  47. John Garrett
    By John Garrett on 24 October, 2013

    Curses. I autocompleted this comment form. Oh, well…I guess I can trust Yoast :)

    So I guess this also goes for services like Lastpass.com and the like? I assume their “fill form” feature will fill in the hidden fields just as well?

    I wonder if there’s a way for autocomplete to check if a field is visible or deliberately hidden and either alert the user, or be set to never fill those fields in?

    I suppose the only way you could be sure is to turn it off completely.

    • Wayne
      By Wayne on 24 October, 2013

      I found this over on the lastpass forums.

      “We make an effort to avoid filling into hidden fields, but it could be possible for a site to use advanced CSS techniques to end up with a field that is technically visible, but (for example) is rendered off the screen.

      I personally generally work around this by having a form fill profile without sensitive data (I call it “No Financial Info”), and I use that form fill profile when I’m filling into a page that I know I don’t want to provide sensitive data to.”

      • John Garrett
        By John Garrett on 24 October, 2013

        Thanks Dean and Wayne, that’s good info.

        The convenience of autocomplete isn’t worth the potential consequences, so off it goes.

    • Daan Kortenbach
      By Daan Kortenbach on 24 October, 2013

      You shouldn’t trust Yoast.com (or any website). Hidden fields could be injected by other parties without you (or Yoast) knowing about it. If you have ever visited a website through an anonymous proxy your cache could be infected by an altered JavaScript file with a long expire time. For instance jQuery loaded from a general CDN (like Google’s and used by many WordPress sites) could be altered to add malicious code which you would consecutively and unknowingly use on every site that loads that jQuery file. Luckily Yoast loads his jQuery from his own CDN so the risk is lower but he does load some other JavaScript from other parties (which website does not load ga.js?), these could easily be infected by a malicious anonymous proxy owner.

      Yoast his advice is valid, turn off autocomplete. And think before you do.

      Some additional advice…
      – Never use “free anonymous” proxies (if the product is free, you are the product)
      – Clean your browser cache regulary
      – If you must use autocomplete, use a password manager like 1Passwork or LastPass

  48. Hassan
    By Hassan on 23 October, 2013

    Crap! I never knew this, but I always turn off autofill, never remember passwords etc. and the like.

  49. Brian Morearty
    By Brian Morearty on 23 October, 2013

    Everything’s a tradeoff. If you do use autocomplete, keyloggers won’t capture what you entered.

    • Rob
      By Rob on 1 November, 2013

      and if you have a key logger installed then that trojan that’s also installed probably already took all your stored data…

    • boohbah
      By boohbah on 28 October, 2013

      you can use a software like Trusteer Rapport to block keyloggers

    • Caspy7
      By Caspy7 on 24 October, 2013

      Isn’t someone more likely to use this technique to get your information than get a keylogger on your system?

    • Angel
      By Angel on 23 October, 2013

      Very interesting point, Brian. Never thought about that.

      • Jacob
        By Jacob on 24 October, 2013

        But it’s much harder to install a keylogger on a users machine than it is to take some free data that the browser is posting to you.

  50. Benjamin
    By Benjamin on 23 October, 2013

    This new feature seems dangerous indeed. Thanks for the information, I just desactivated it.

    I personally use lastpass to fill forms, like that I don’t have to type everything again, but I can still control what happens.


Check out our must read articles about Analytics