AutoComplete Feature Puts Millions of Internet Explorer Users At Risk
Out of the annual gathering of security specialists in Las Vegas at the Black Hat Conference this week came a warning to Internet Explorer (IE) users to turn off AutoComplete, a convenient feature that automatically fills in personal information in Web-based forms.
Jeremiah Grossman, founder and CTO of Whitehat Security, said that both IE6 and 7 are vulnerable to attack in an interview with InternetNews.com before his session "Breaking Browsers: Hacking Auto-Complete." Grossman built proof of concept code that could enable an attacker to read the AutoComplete content that may be stored in a user's browser.
AutoComplete information could include a user’s name, address and credit card information.
Grossman said that IE 8 is not vulnerable to the same exploit.
A similar auto-fill flaw found in Apple's Safari browser was patched on Wednesday. Grossman said despite the security patch, Safari 4 and 5 users are still at risk.
Grossman originally found the bug in the summer of 2009 and disclosed it to Microsoft that December. To date, there has been no patch for the flaw.
AutoComplete is not on by default – users must give permission when prompted during a browser session – but given the risk, users should check their settings. To do this, in Internet Explorer, click on the Tools menu and select Internet Options. Select the Advanced tab. Uncheck "Use inline AutoComplete."
To eliminate the risks of this threat, Grossman said users should upgrade to IE 8 , Google's Chrome or Mozilla's Firefox.