AutoComplete May Equal AutoCompromise
It is very convenient to have your various usernames and passwords stored in your computer system. When you are logging into a web site or application, the information is automatically filled in for you so you don’t have to try to remember what alternate identity you used, or what unique variation of your password (or, better yet, passphrase) you used when registering. Unfortunately, as with virtually everything that provides more convenience or efficiency for you, it also represents a security concern that can be leveraged by an attacker to more conveniently and efficiently compromise your system.
For example, you may like to check your bank account balances and reconcile your accounts via the bank web site. You used AutoComplete to remember your username and password so you can log in at the click of a button without having to recall your credentials. However, if any other person happens to sit down at your computer and click on the link for your personal banking web site, they too will be able to access your confidential information without having to recall…..er, hack, your credentials as well. Check out Disable AutoComplete Password Storage on my About.com Internet / Network Security site for more about how to configure or disable this feature.
September 28th, 2007 at 3:20 am
Hey Tony – I was reading this post and this article is right on the money. I’ve always felt this option was a really bad design and left the door wide open for the problems you mentioned.
A good friend of mine was unfortunate enough to have her house burglarized and among the things taken were her laptop computer. She had configured her personal investment sites, banking sites, email with this really convenient AutoComplete option.
Needless to say when she started to alert her bank, etc – they reported activity on her accounts as early as the same day of the theft! She was able to nip the problem in the bud and her finances were not affected, but she is now a potential candidate to identity theft as social security #s, birthdates, etc were all recorded in personal planner software on the PC – a horrific situation.
This probably calls for hard disk encryption – but thats another article..
Jesse
http://www.securasys.net
PCI Compliance, Application Security Reviews, Ethical Hacking, Physical Security Site Reviews