The Chrome browser has a serious leak in the autofill feature that leaves your personal info on forms, including fields on WordPress blog comments.
The leak could divulge your street address or even your credit card info.
Worst of all, you may never even know it’s happening.
Discover what info is being leaked and how to protect yourself.
About Autofill
Filling out forms with the same info over and over is a pain.
So, browsers make it easy for you by providing an autofill feature.
You start typing the info into a field and it suggests the rest based on what sort of field it is, like a Name field. All you have to do is click or hit Enter to complete the field with the suggestion.
The Problem
You fill out all kinds of forms that intake all manner of info.
Typical form info includes:
- Name
- Username
- Password
- Street address
- Phone number
- Credit card info
The browser holds all of it.
Yes, all of it.
Including all of your credit card info, not just the number.
And that’s the problem.
Hidden Fields
Phising sites are exploiting the heck out of this issue.
They have forms that only display one field, such as your email address to get their free gift.
But the forms also have lots of hidden fields which you can’t see.
However, the browser autofill can see them and reacts by divulging the proper data.
You could be sharing ALL of your saved autofill info and never know it.
That includes your credit card info.
Only on HTTPS Sites
HTTPS sites are encrypted so that private info can be safely shared on them – info like phone numbers and credit cards.
The phising sites mentioned above must be HTTPS to work their hidden form field magic.
Street Addresses in Blog Comments
I first became aware of this issue on recently converted HTTPS client sites that get LOTS of blog comments.
Street addresses were appearing in the comments instead of the comment itself.
At first we thought they were spam. But the client recognized the name and email addresses as a frequent commentator on the site.
We started swapping out comment related plugins and jumping through all manner of hoops to find the issue.
But it happened randomly, and never happened when we tested it ourselves.
Finally, my client Marilyn Lesniak of Marilyn’s Treats got to the bottom of it and isolated it to the Chrome autofill feature on HTTPS sites.
Android Chrome Has the Bug Too
It’s not just the Chrome desktop browser that leaks your info.
Chrome on Android leaks the same personal info too.
One difference in it and the desktop version is that the data is held in the cloud, not on the phone.
LastPass Leaks Info Too
Plus, it has been recently reported that even Last Pass may leak passwords on hidden form fields as well.
Safari and Firefox
Safari did not leak as bad as Chrome, but it can still turn over more info than you intend.
Firefox is tight as a drum and does not leak your autofill info.
That’s because it first requires you to hover over the field before displaying a suggestion. That keeps hidden fields from ever being populated.
Control What You Share
Of course, the safest thing to do is to completely disable Chrome’s autofill feature.
The next best thing is to constantly check and control what info is stored in autofill.
How to Disable or Edit Chrome Autofill
- In the top right, click the Chrome menu (hamburger or three dots).
- Click Settings.
- Scroll to the bottom and click the link for “Show advanced settings:.
- Find “Passwords and forms,” and uncheck Enable Autofill.
- To edit or remove a specific entry, hover over it and click the X on the right to delete.
(I don’t know if it saves the info anew the next time you fill in another form that requires it. So do check it often if you leave autofill on.)
How to Fix Autofill on Android
- Open Settings
- Tap Autofill forms
- From there it should look like the desktop settings.
LastPass and Safari
You’ll want to Google how to keep both of these from sharing too much data.
I don’t use either so don’t have a way to vet if the info I’m finding on them is out of date with the latest versions. I found plenty of out of date info on Chrome, even in their own articles.
Will Chrome Fix This?
As of January 2017, Chrome devs acknowledged that they are aware of the issue and working on it.
This post on Gizmodo promises to update when Chrome fixes the issue.
Tell Everybody
If you have an HTTPS site, share this post with all of your regular visitors through your newsletter and/or social media. You’ll be helping them not divulge personal info on a lot more than just your blog comments!
If you see street addresses or other personal info in your comments, since you also have the email address of the person who left the comment, you may want to contact them privately and let them know to fix the leak.
If you’re in blogger, site, or security groups, share this post and help spread the word.
Thank you MaAnna for sharing this important info. Also a great big thanks for mentioning my blog. I have seen this occur for over 3 months and about 30% of my comments have been affected. Please everyone spread the word!
Really appreciate your diligence in getting to the bottom of it Marilyn!!!!!!!
My comment went poof. Let me try again.
A site does not have to be HTTPS to have this happen. It started happening a couple of months ago on my site and after much testing and hair pulling, I finally tracked to to auto-fill. Sorry I did not think of mentioning it to you, MaAnna.
Thanks for letting us know that it can happen on HTTP sites as well, Gaye. I think the phising sites have to be HTTPS to get CC info, but not sure.
Amazing investigative work, MaAnna! Thanks for helping me out!!
Jamie
Glad to finally know what it is Jamie! Appreciate your patience and diligence to troubleshoot during the process.
Thank for the heads up MaAnna, am sharing your alert.
Happy to help Tina! Marilyn deserves all the credit for putting me on the right track with it.
I have had many comments on my blog and have had to inform each person that if they use auto-fill the address will show. I am glad the information is getting out there.
I was just about to email you Debra, to ensure you saw the post. Glad the issue has been found and hope folks take action. I know we all don’t want to loose comments on our blogs over it, and we want our peeps to be safe.
Thanks for sharing this MaAnna. It’s appalling how careless and/or devious these companies are with our personal info. I shared it all over!
There’s definitely a TON of money to be made on all that info, Karen!!!! Up to us to be super vigilant and as careful as we can be.
Thanks so much for sharing to help protect others too!!
I use LastPass to manage all of my form fills. Do you know if that has the same problem too?
Michael, there’s a link in the post to the research I found about LastPass. And you’ll want to do even more research from there to be sure.