Autocomplete is always a fun topic to discuss…. ok maybe my idea of fun is not the normal idea. 🙂 During our web penetration testing, we often find where the client’s application allows the password or other sensitive information to be saved by the browser. When we find it, we often have push back from the client stating that its the end user’s decision to allow this. (Of course we disagree. <grin>)
Recently I was working with my daughter (Sarah), who is home schooled, on a spelling lesson. She was trying out this online service that provides lessons such as spelling and math for students. While working through a spelling lesson with her, I noticed an interesting problem. Autocomplete was enabled for the input boxes. (On Sarah’s laptop, I have autocomplete enabled because she is 6 and doesn’t use credit cards. <grin>)
This started me thinking about the use of autocomplete and the typical response from security testers. I believe that most of you reading this would mention autocomplete being enabled for a credit card field or a password entry box on a web site. (Even if its just a low or informational finding.) But do you evaluate the other fields and entry boxes? Do you base your thought process around the actual business process and if the data could be considered sensitive?
To better understand this, let’s walk through the business issue with this application. First, the lesson was a spelling lesson. On the previous series of pages, the application presented a lesson that defined a word and had a form field. When Sarah clicked into the field, an onfocus event fired which played an audio file of the word being spoken. She would then type each word as part of the lesson. Finally, at the end of the lesson there is a test. This test also used the onfocus event to play the word she needed to spell. When Sarah clicked into the field, it would display the autocomplete history which was the word from when she did the practice portion of the lesson.
While this is not an earth shattering flaw, it does undermine the main purpose of the online lesson system. Which would be a business issue since this is a subscription service and if I can’t trust that the test results aren’t based on if my kid pays attention to the autocomplete, then why would I pay for the service?
As penetration testers, this is exactly the type of business concern that we need to be paying attention to while testing. And for the record, I did notify the lesson provider and have not yet heard back from their developers.
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.