All major browsers have built-in login managers that save and automatically fill in username and password data to make the login experience more seamless. The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available.

Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form. Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested [2] don’t require user interaction to autofill password fields.

Thus, third-party javascript can retrieve the saved credentials by creating a form with the username and password fields, which will then be autofilled by the login manager.

Source: freedom-to-tinker.com

Ironically before the holidays, I had to deal with this from the opposite end as auto-form filling from Safari was filling out hidden fields.

Consider the following

  • Safari's autofill can fill out more than just username/password.
  • Safari's autofill does not give you the ability to view the stored information in its local database other than site entries.
  • Safari's autofill will fill out visibility: hidden and display: none
  • Safari's autofill does not trigger a DOM event on display visibility: hidden and display: none. Safari does allow to query for input:-webkit-autofill but testing for this means super hacky setTimeout and setInverval hacks.
  • Safari does (mostly) respect the HTML5 convention but will ignore autofill off on username or password fields

This leads to a bizarre world where Safari is egregiously handing out info that can't be vetted.

Safari Autofill Manager

Pictured: Safari's autofill manager for non-username/passswords (other), doesn't allow you to see what information its autofilling or edit the values. I found some surprising entries in my Safari autofill manager.

I had the problem where a donation form was falling our API validation as Safari's autofill was completing hidden form elements without invoking changes and creating scenarios we hadn't previously considered. It took error logging to figure out Safari was the culprit, and a heavy dose of intuition to figure out that it was autofill.

The solution was to add autofill and disabled but lead me to wonder about the potential abuses of autofill. Apparently, I wasn't the only one.