Monday, July 30, 2007

Form Auto completion

I am on gmail home page and i type "p" in the username form field and i see my username in the autocomplete list and i press the down arrow key and it is filled in the username. I save a few key strokes. It also helps sometimes when i forget the username on certain sites ! It is too hard to remember all of them. It helps me autofill. It is a nice feature.

All browsers by default store form information. You can always disable it.

I was paying by my card on a particular secure website and it asked me my Card number and CVV number. I had done a transaction on this site before. When i keyed in the first digit of my card number, it showed me my card number in the autocomplete list. That is ok. Then i went to next form field to key in my CVV number and i keyed in the first number and i got my CVV number in the autocomplete list. This is not at all good.

My card number and CVV number are in formhistory.dat (under firefox profiles directory) and will be accessible to any form field with same name for any user to key in. Ofcourse it cannot be accessed by plain javascript. Hence it is safe. What happens if somebody breaks in ?

Those fields were to be marked with "autocomplete=off". If you are making a web form and feel that certain form field would not need autocomplete or has sensitive information, switch off autocompletion.

I actually went and checked the formhistory.dat which has been there in my laptop for almost 2 years now. I was surprised to see the kind of form field data stored in it. There was a lot of it. I deleted the formhistory.dat and i do make it a point from now on to delete it often. But it is still a nice feature. I will use it.

PS: Always make it a point to clear all history and prviate info from any browser once you are done using a computer/laptop outside.

2 comments:

Kalyan said...

its very basic thing to turn off form completion for credit card numbers & cvv.
javascript can't read formhistory alright, but any extension can read files inside chrome. how many extension your installed on your machine are trusted ?

Prakash Swaminathan said...

right kalyan .. javascript cant read it .. so it is safe ..
but extensions can .. nsiFormHistory is the api to work with it .. http://www.xulplanet.com/references/xpcomref/ifaces/nsIFormHistory.html

It is basic to turn off auto completion for such fields .. but some developers did not ..