disableautofill.js icon indicating copy to clipboard operation
disableautofill.js copied to clipboard
verified publisher icon terrylinooo

Chrome now shows passwords from Autofill in plain texts

Open jhintringer opened this issue 7 years ago • 8 comments

disableautofill By using this script the autofill popup is trying to suggest passwords used from this domain. Seems not to solve the problem, but creates a security issue.

jhintringer avatar Oct 15 '18 08:10 jhintringer

What version of Chrome do you use? It is better if you have an example in jsfiddle, I can take a look into it quickly.

terrylinooo avatar Oct 15 '18 16:10 terrylinooo

same on FireFox 62.0.3 (64-bit) on Ubuntu.

Arduino1987 avatar Oct 18 '18 06:10 Arduino1987

I'm using Chrome 71.0.3578.10 dev (Dev Channel), but it also seams to occur in the newest stable version of chrome. OS is Win 10 Pro.

I can't make you a jsfiddle, because it depends on your machine, if you already have passwords saved for this domain ;)

jhintringer avatar Oct 18 '18 06:10 jhintringer

In Chrome 70 your demo page shows password in plain text and also I got usernames suggested I used on other domains. disableAutoFill-Plugin does not work.

DarthSonic avatar Oct 24 '18 07:10 DarthSonic

I can't get it to work on Chrome either (it only seems to ignore new-password and current-password) so I experimented a little and came up with this:

$(':password[autocomplete!="on"]').each(function () {
        $(this).attr('readonly', true);
        $(this).one('disable-autofill', function () {
            $(this).removeAttr('readonly');
        });
        $(this).one('keyup', function () {
            $(this).trigger('disable-autofill');
        });
        if (/MSIE|Trident|Edge/.test(window.navigator.userAgent)) {
            $(this).trigger('disable-autofill');
        }
});

It just finds all elements which have autocomplete not set to on (ignores the form element), sets them temporarily to readonly which disables any autofills at least in newer versions of chrome, ff and ie, then remove the readonly attribute when the user selects the element (or in IE just triggers it). Maybe this could be an idea? @terrylinooo

catn8r avatar Nov 05 '18 18:11 catn8r

add class="password" to your password input.

Example: https://jsfiddle.net/terrylinooo/hhgzbsvy/

kampit avatar Dec 10 '18 11:12 kampit

add class="password" to your password input.

Example: https://jsfiddle.net/terrylinooo/hhgzbsvy/

You have here bug of "Cannot read property 'join' of undefined" when try to submit with empty password field..

I have posted about this problem..

yanivush avatar Feb 26 '19 15:02 yanivush

https://github.com/terrylinooo/jquery.disableAutoFill#suggestion + .pswd { -webkit-text-security: disc; } or // https://fontstruct.com/fontstructions/show/1106896/password_dots_2

cekvenich avatar Mar 30 '20 01:03 cekvenich