Chrome Displays Street Address in WordPress Comments on HTTPS Sites

The Chrome browser has a serious leak in the autofill feature that leaves your personal info on forms, including fields on WordPress blog comments.

The leak could divulge your street address or even your credit card info.

Worst of all, you may never even know it’s happening.

Discover what info is being leaked and how to protect yourself.

About Autofill

Filling out forms with the same info over and over is a pain.

So, browsers make it easy for you by providing an autofill feature.

You start typing the info into a field and it suggests the rest based on what sort of field it is, like a Name field. All you have to do is click or hit Enter to complete the field with the suggestion.

The Problem

You fill out all kinds of forms that intake all manner of info.

Typical form info includes:

• Name
• Email
• Username
• Password
• Street address
• Phone number
• Credit card info

The browser holds all of it.

Yes, all of it.

Including all of your credit card info, not just the number.

And that’s the problem.

Hidden Fields

Phising sites are exploiting the heck out of this issue.

They have forms that only display one field, such as your email address to get their free gift.

But the forms also have lots of hidden fields which you can’t see.

However, the browser autofill can see them and reacts by divulging the proper data.

You could be sharing ALL of your saved autofill info and never know it.

That includes your credit card info.

Only on HTTPS Sites

HTTPS sites are encrypted so that private info can be safely shared on them – info like phone numbers and credit cards.

The phising sites mentioned above must be HTTPS to work their hidden form field magic.

Street Addresses in Blog Comments

I first became aware of this issue on recently converted HTTPS client sites that get LOTS of blog comments.

Street addresses were appearing in the comments instead of the comment itself.

At first we thought they were spam. But the client recognized the name and email addresses as a frequent commentator on the site.

We started swapping out comment related plugins and jumping through all manner of hoops to find the issue.

But it happened randomly, and never happened when we tested it ourselves.

Finally, my client Marilyn Lesniak of Marilyn’s Treats got to the bottom of it and isolated it to the Chrome autofill feature on HTTPS sites.

Android Chrome Has the Bug Too

It’s not just the Chrome desktop browser that leaks your info.

Chrome on Android leaks the same personal info too.

One difference in it and the desktop version is that the data is held in the cloud, not on the phone.

LastPass Leaks Info Too

Plus, it has been recently reported that even Last Pass may leak passwords on hidden form fields as well.

Safari and Firefox

Safari did not leak as bad as Chrome, but it can still turn over more info than you intend.

Firefox is tight as a drum and does not leak your autofill info.

That’s because it first requires you to hover over the field before displaying a suggestion. That keeps hidden fields from ever being populated.

Control What You Share

Of course, the safest thing to do is to completely disable Chrome’s autofill feature.

The next best thing is to constantly check and control what info is stored in autofill.

How to Disable or Edit Chrome Autofill

1. In the top right, click the Chrome menu (hamburger or three dots).
2. Click Settings.
3. Scroll to the bottom and click the link for “Show advanced settings:.
4. Find “Passwords and forms,” and uncheck Enable Autofill.
5. To edit or remove a specific entry, hover over it and click the X on the right to delete.
   (I don’t know if it saves the info anew the next time you fill in another form that requires it. So do check it often if you leave autofill on.)

How to Fix Autofill on Android

1. Open Settings
2. Tap Autofill forms
3. From there it should look like the desktop settings.

LastPass and Safari

You’ll want to Google how to keep both of these from sharing too much data.

I don’t use either so don’t have a way to vet if the info I’m finding on them is out of date with the latest versions. I found plenty of out of date info on Chrome, even in their own articles.

Will Chrome Fix This?

As of January 2017, Chrome devs acknowledged that they are aware of the issue and working on it.

This post on Gizmodo promises to update when Chrome fixes the issue.

Tell Everybody

If you have an HTTPS site, share this post with all of your regular visitors through your newsletter and/or social media. You’ll be helping them not divulge personal info on a lot more than just your blog comments!

If you see street addresses or other personal info in your comments, since you also have the email address of the person who left the comment, you may want to contact them privately and let them know to fix the leak.

If you’re in blogger, site, or security groups, share this post and help spread the word.