If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information.
This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.
First and foremost, attacker needs either physical access or user-level code execution rights for successful exploitation. Dumping all data from a browser can be fairly easy, and a number of automated tools exist to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the autocomplete feature to see previously entered values.
AutoComplete in HTML forms provides the following advantages:
The AutoComplete box provides several levels of security:
The first time a Web site is made aware of the new information is when the user selects one of the suggested entries and the data is entered into the field. AutoComplete can be turned off using one of the following options:
The security measures provided for AutoComplete help protect passwords. The AutoComplete feature does not operate in the same fashion with password fields as with regular text fields. When a password is first entered, the user is prompted with the following options:
When the AutoComplete feature is set to save passwords, a password is automatically filled in when a known user name is provided, and the password and user name are stored by URL. When changing passwords, the user is prompted to save the new password.
AutoComplete provides a convenient and safe way for users to quickly complete forms, and for Web sites to enhance user experience on a page. User information saved in the AutoComplete data store is safeguarded, because Web sites cannot automatically fill in forms using the data store, and a login page facade cannot fool the browser into surrendering the information due to domain-specific security.