We have moved to GitHub Issues
Created by Jeffrey Schoemaker 15 May 2015, 07:43:16 Updated by Sebastiaan Janssen 15 May 2018, 07:09:46
Relates to: U4-11321
Sensitive form field has not disabled autocomplete OWASP: A5 Security Misconfiguration [https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration]
'''Threat''' An HTML form that collects sensitive information (such as a password field) does not prevent the browser from prompting the user to save the populated values for late reuse. Stored credentials should not be available to anyone but their owner.
'''Impact''' If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be submitted by an unauthorized user. For example, if a browser saves the login name and password for a form, then anyone with access to the browser may submit the form and authenticate to the site without having to know the victim's password.
I did some research and turning autocomplete off won't break password managers like LastPass.
Backwards Compatible: True
Fix Submitted: Pull request
Affected versions: 7.1.1, 7.2.0, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5
Due in version: 7.3.0