Mozilla Foundation Security Advisory 2005-19
Autocomplete data leak
- Announced
- February 24, 2005
- Reporter
- Matt Brubeck
- Risk
- Moderate
- Impact
- Moderate
- Products
- Firefox
- Fixed in
-
- Firefox 1.0.1
Description
As users downarrow through autocomplete choices each is copied in turn into the input control. A malicious site could create a page that autocompletes some common data (such as phone number or SSN) and potentially convince a user to arrow through the values. Script on the page could watch the values as they are added and copy them into a hidden field for submission to the site.
Workaround
Turn off the Form Fill feature.