grb
December 13, 2023, 5:18pm
56
@cagonzalez Thanks for looking into the ING site issues, and for confirming that you are not considering removing the new safeguards for autofilling of invisible fields.
So, among the three suggestions I had made in March in my discussion with @go12 , you have implemented the first, which is great. I would be obliged if you could offer your perspective/opinion on the suggestions in the 2nd and 3rd bullet point of that post:
The browser extension should count the number of available input fields that will be autofilled using the password field. If more than one such field is found on the current page, present the user with a warning before auto-filling. This will alert the user that there may be a hidden form on the login page, but it will have the side-effect of creating an extra confirmation step when using auto-fill to complete account registration and password change forms. The unwanted side-effect could be avoided by allowing the user to mark specific URIs as login forms (where only a single password field is expected), so that the warning is presented only when multiple password fields are detected on a form that has been designated as a login form.
Since auto-fill vulnerabilities can be greatly amplified by using Base Domain for URI match detection while also having “auto-fill on page load” enabled, it should be harder for the user to set up this dangerous combination of preferences. Specifically, in the Autofill Settings, it should not be possible to enable “Autofill on page load” (i.e., this option should be “grayed out” and inactive) unless the “Default match detection” option has been set to something other than Base Domain . Of course, there should be some accompanying explanatory text (e.g., To enable auto-fill on page load, the default match detection option cannot be set to "Base Domain"
). If Base Domain matching is still required to get auto-fill to work the way the user wants, then they would still have the option to choose this setting by customizing individual URIs; thus, this proposal does would not break any existing functionality, but it will enhance the security of users who do not pay attention to the consequences of their choices.