Why you should not use autocomplete

Several updates to this post below!

Today at Pubcon Matt Cutts of Google once again promoted the use of autocomplete-type, a new property for web forms that works in Chrome (and possibly other browsers, I haven’t checked). Google first introduced it back in January 2012 in this post. I wanted to do this quick post to tell you to turn off autocomplete in your browser.

This test URL will show you why quicker than I can explain it in words. Please try it and come back. If you’re using autocomplete to, for instance, sign up for an email newsletter, you might have just provided that website with your full address and/or (even worse) your credit card details too. It’s as simple as adding the fields to the form and hiding them from the user…

So: turn off autocomplete until your browser has better controls on what gets autofilled.

How to turn off autocomplete in Chrome

In Chrome, go to your Settings, click Advanced, then make sure the top box here (that is checked in the screenshot) is NOT checked:

disable-autocomplete

Post Updates

  • It turns out Matt was talking specifically about requestAutocomplete, which is altogether different. This blogpost explains it best, go read it, as it’s rather cool. It effectively deals with the problem shown above by showing you what will be autocompleted! However, as you can see in the test above, you’re still vulnerable right now if you use “normal” autocomplete.
  • Safari is just as vulnerable to what I showed above as Chrome is. In fact, autocomplete is on by default in it:
    safari autofill
  • Filling credit card info requires you to focus on a credit card specific field that is not the credit card name field. This makes this feature inherently more safe, but it still means you could retrieve your personal address and much more when all you thought you were giving out is your email address or name.

Yoast.com runs on the Genesis Framework

Genesis theme frameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Whether you're a novice or advanced developer, Genesis provides you with the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Read our Genesis review or get Genesis now!

60 Responses

  1. BenjaminBy Benjamin on 23 October, 2013

    This new feature seems dangerous indeed. Thanks for the information, I just desactivated it.

    I personally use lastpass to fill forms, like that I don’t have to type everything again, but I can still control what happens.

  2. Brian MoreartyBy Brian Morearty on 23 October, 2013

    Everything’s a tradeoff. If you do use autocomplete, keyloggers won’t capture what you entered.

    • AngelBy Angel on 23 October, 2013

      Very interesting point, Brian. Never thought about that.

      • JacobBy Jacob on 24 October, 2013

        But it’s much harder to install a keylogger on a users machine than it is to take some free data that the browser is posting to you.

    • Caspy7By Caspy7 on 24 October, 2013

      Isn’t someone more likely to use this technique to get your information than get a keylogger on your system?

    • boohbahBy boohbah on 28 October, 2013

      you can use a software like Trusteer Rapport to block keyloggers

    • RobBy Rob on 1 November, 2013

      and if you have a key logger installed then that trojan that’s also installed probably already took all your stored data…

  3. HassanBy Hassan on 23 October, 2013

    Crap! I never knew this, but I always turn off autofill, never remember passwords etc. and the like.

  4. John GarrettBy John Garrett on 24 October, 2013

    Curses. I autocompleted this comment form. Oh, well…I guess I can trust Yoast :)

    So I guess this also goes for services like Lastpass.com and the like? I assume their “fill form” feature will fill in the hidden fields just as well?

    I wonder if there’s a way for autocomplete to check if a field is visible or deliberately hidden and either alert the user, or be set to never fill those fields in?

    I suppose the only way you could be sure is to turn it off completely.

    • Daan KortenbachBy Daan Kortenbach on 24 October, 2013

      You shouldn’t trust Yoast.com (or any website). Hidden fields could be injected by other parties without you (or Yoast) knowing about it. If you have ever visited a website through an anonymous proxy your cache could be infected by an altered JavaScript file with a long expire time. For instance jQuery loaded from a general CDN (like Google’s and used by many WordPress sites) could be altered to add malicious code which you would consecutively and unknowingly use on every site that loads that jQuery file. Luckily Yoast loads his jQuery from his own CDN so the risk is lower but he does load some other JavaScript from other parties (which website does not load ga.js?), these could easily be infected by a malicious anonymous proxy owner.

      Yoast his advice is valid, turn off autocomplete. And think before you do.

      Some additional advice…
      - Never use “free anonymous” proxies (if the product is free, you are the product)
      - Clean your browser cache regulary
      - If you must use autocomplete, use a password manager like 1Passwork or LastPass

    • WayneBy Wayne on 24 October, 2013

      I found this over on the lastpass forums.

      “We make an effort to avoid filling into hidden fields, but it could be possible for a site to use advanced CSS techniques to end up with a field that is technically visible, but (for example) is rendered off the screen.

      I personally generally work around this by having a form fill profile without sensitive data (I call it “No Financial Info”), and I use that form fill profile when I’m filling into a page that I know I don’t want to provide sensitive data to.”

      • John GarrettBy John Garrett on 24 October, 2013

        Thanks Dean and Wayne, that’s good info.

        The convenience of autocomplete isn’t worth the potential consequences, so off it goes.

  5. MartijnBy Martijn on 24 October, 2013

    @Brian, not everything’s a tradeoff. It’s a matter of being consciouss about your privacy, and the motivation of big, commercial companies to gather as much information about you and me as possible. To deal with this growing danger, luckily there are options to choose from.. And these options are a lot more than just choosing between autocomplete or manually typing in our info.

  6. SheifuBy Sheifu on 24 October, 2013
  7. SavBy Sav on 24 October, 2013

    Just what I’ve entered. Got autocomplete on.

  8. ScottBy Scott on 24 October, 2013

    Thanks for the great tip Yoast.

  9. Adeel SamiBy Adeel Sami on 24 October, 2013

    Thank you, Joost! I always had bad feeling about auto-complete and never had it turned on for me.

  10. KarlBy Karl on 24 October, 2013

    Or manage your auto-complete entries and make sure anything you don’t want revealed (Like a credit card) is not saved.
    ———————
    Click the Chrome menu Chrome menu on the browser toolbar.
    Select Settings.
    Click Show advanced settings and find the “Passwords and forms” section.
    Click Manage Autofill settings.
    ———————
    Or, simply bookmark this URL for easy access:
    chrome://settings/autofill

  11. Hayden ChudyBy Hayden Chudy on 24 October, 2013

    Thoughts on just curating your auto-complete? I just went into settings and you can manage every entry and delete them. I never save credit cards and never will, with properly curated addresses all they can get are your phone number or email, which doesn’t bother me since I can block spam.

    Unless I’m missing something major.

  12. AndrewBy Andrew on 24 October, 2013

    Thanks for the info. Will share your website link on our Facebook page for others to know.

  13. finferfluBy finferflu on 24 October, 2013

    This also happens in Safari unfortunately :(

  14. Roger LapinBy Roger Lapin on 25 October, 2013

    I use Firefox and it only entered my name?
    Is that ok, I didn’t even know what auto complete was, I was told by an IT security person to use Firefox over any other browser..

  15. Matt SellsBy Matt Sells on 25 October, 2013

    Agree 100%!!
    PS: I like to see micro posts.

  16. ninjustinBy ninjustin on 25 October, 2013

    This feature has been known to not have any security for years. Stuff is just kept in plain text files. Find a 3rd party alternative like Last Pass or something that encrypts your information if you want auto-complete. I’d rather pay attention to what info I’m giving someone anyway.

  17. Raw HasanBy Raw Hasan on 25 October, 2013

    Thanks for alerting. Removed the feature from chrome right away.

  18. nikhilBy nikhil on 25 October, 2013

    The same issue perfectly working in firefox latest version browser as well, while pentesting some applications.

  19. RangerBy Ranger on 26 October, 2013

    Yak, that is really scary.

  20. SeoZebraBy SeoZebra on 26 October, 2013

    I think, it has connection with the Snowden story…

  21. BubBy Bub on 26 October, 2013

    With Chrome’s developer tools, you can reveal the hidden form fields on the sample form and see how they are being populated, without even submitting the form to Yoast.

    I tried it out, and although my credit card information is stored in Chrome, I found that the form would not autopopulate the credit card fields, unless I actually used autocomplete on the cc-number, cc-exp-month, or cc-exp fields. And when you do that, Chrome pops up its dropdown with the credit card logo, so you know that it is happening.

    In short, I don’t think that you have demonstrated that this technique can be used to steal credit card information without your knowledge. On the other hand, it is able to grab other information such as full name, physical address, and email address. Although the sample form didn’t include telephone, I was able to twiddle it to see that it could grab that as well.

  22. satnamBy satnam on 29 October, 2013

    Sorry guys, this question is not related to this post. Unfortunately, comments are closed on the other post. And please bear with someone who is a beginner among you experts.

    Post: http://yoast.com/change-wordpress-permalink-structure/

    I use ProPhoto, and I see two .htaccess files. One is in www directory and other is in public_html. Where do I add the redirect code, or does it need to be in both places?

    Thanks.

  23. NimitzBy Nimitz on 29 October, 2013

    Good thing I am not fun of using autocomplete button.

    I always turn it off when it shows up!

  24. Sneha MalikBy Sneha Malik on 29 October, 2013

    It is also happens with me on Mozilla Firefox :(

    • UnlockbootBy Unlockboot on 22 November, 2013

      Yes, I got the same problem in Firefox.

  25. Nghe nhạc chất lượng caoBy Nghe nhạc chất lượng cao on 30 October, 2013

    Good advance, I get some experiences when see this post. Thank you

  26. Arup GhoshBy Arup Ghosh on 30 October, 2013

    Autocomplete is a useful but dangerous feature .

  27. RaghavBy Raghav on 31 October, 2013

    Okay, till this time i was thinking chrome was only filling up few details that were asked, but if somehow some spammy or malicious sites get our personal or financial data.. it will be completely our fault..

    After knowing this I’m done with auto-complete..

  28. Sean MarkeyBy Sean Markey on 31 October, 2013

    Thank you for posting this Yoast. I had no idea autofill could be so open to abuse. I’ll be making sure to tell everyone I know about it and sending them on to this post.
    ,Sean

  29. HieuBy Hieu on 31 October, 2013

    Good advance . Thanks for share

  30. ToanBy Toan on 1 November, 2013

    Thank you for posting this Yoast.
    I like it

  31. RamiroBy Ramiro on 1 November, 2013

    The term “autocomplete” is misleading. The values that go into autocomplete fields come from the server and not your browser. It’s what is used for Google search etc.

    What you/Matt Cutts are talking about is AutoFill, which is indeed something you shouldn’t use.

  32. MikeBy Mike on 1 November, 2013

    This apparently doesn’t happen on Safari 7 with Mavericks. I hit tab to invoke the auto complete prompt, and none of the other fields are filled except for the one.

  33. reprezentaBy reprezenta on 1 November, 2013

    I guess taking that extra minute to fill a form by yourself seems legit now!

  34. Gabriel GasparoloBy Gabriel Gasparolo on 1 November, 2013

    I just checked on Safari (OS X Mavericks) and it alerts me what information is going to be sent.

  35. FaustBy Faust on 1 November, 2013

    does incognito mode in chrome still works for autocomplete?

  36. BruceBy Bruce on 2 November, 2013

    Thank you for sharing this Yoast
    I like it!

  37. Durga SwaroopBy Durga Swaroop on 3 November, 2013

    I never would have thought that such things happen. I use auto fill tool almost everyday. But, yea, i’ve deactivated it.Thanks for the info. :)

  38. BartoszBy Bartosz on 3 November, 2013

    I think that autocomplete will always be in use.. because it makes our life easier and reduce number of clickick ; )

  39. Dave BezaireBy Dave Bezaire on 4 November, 2013

    I’m with you! I’ve been an advocate of RoboForm (and the others now available like LastPass and KeePass) for many years. In a world of so many spies, I want to control at least some of my info!

    Dave

  40. Sohail warisBy Sohail waris on 5 November, 2013

    I am 100% agree with you but before reading this article my opinion was really negative.

  41. Jaleel HamidBy Jaleel Hamid on 6 November, 2013

    Wow… scary stuff.
    Thanks for the heads up Yoast! :-)

  42. TJ DraperBy TJ Draper on 7 November, 2013

    Safari 7 (at least with Mavericks) is much smarter about this. It actually showed me a popup of all the info it was about to fill in and wanted to know if I was really really sure I wanted to give away all that information. Given that, I’m leaving auto-complete on.

  43. Portões AutomáticosBy Portões Automáticos on 8 November, 2013

    Thanks for sharing this information!

  44. channarithBy channarith on 9 November, 2013

    Thanks for sharing. I just done it .

  45. Steve SchellertBy Steve Schellert on 9 November, 2013

    This is really good. I did not fully understand the pitfalls of not shutting off autocomplete.

  46. Muhammad AbdullahBy Muhammad Abdullah on 11 November, 2013

    Absolutely lovely!! Good Work
    Thanks for the sharing information alike. Its really so productive as well as this website. I am so Happy!!!

    Thanks,
    Muhammad Abdullah

  47. JAASBy JAAS on 12 November, 2013

    I just deactivated after reading this. Thanks for the info

  48. Arbaz KBy Arbaz K on 12 November, 2013

    That is really an informative article. Thanks for sharing this stuff with us. I just deactivated the autofill option to stay on the safe side.

  49. MitchellBy Mitchell on 17 November, 2013

    Hello Joost:
    Thank you very much for explaining autocomplete.

    Web forms have not changed much since the 90′s. Autocomplete, in its current state, is not a welcome change.

    Best wishes, Mitchell

  50. Ryan CoteBy Ryan Cote on 22 November, 2013

    I am also thinking if someone has basic info about you, such as your email address, they can get their hands on your computer and start auto-filling out all kinds of forms without your knowledge. Fortunately, it’s a quick fix.