Google Chrome AutoFill privacy and security issues

Google Chrome users who read my blog, have voiced concerns on a number of occasions recently about the AutoFill feature. Let’s take a look at this feature (which has been around for over a year now) and answer some of the privacy and security issues as well as show you how to turn off the AutoFill feature.

The first time you fill out a form, Google Chrome automatically saves the contact information that you enter, like your name, address, phone number, or email address, as an Autofill entry. You can store multiple addresses as separate entries including all important credit card information, which AutoFill will insert into a form, all in one click. What’s the big issue here? You’ve guessed right – storage of credit card data.

Here is a typical scenario – You fill out an online form and the autocomplete feature pops up with your name – you select your name and allow Chrome to fill out the form for you with your name, address (including post code) and email address. These are the three most common form field fillers. I know, you are thinking, what is wrong with that, most other websites offer this functionality and the AutoFill capability  – right? Well, Chrome is slightly different to other browsers in that there are lots and lots of hidden fields hidden from your view as opposed to the displayed fields you can see.

TIP: NEVER store credit card data with AutoFill!

I’ve been asked by my regular readers who use Chrome, to show you how to turn off the Google Chrome Form AutoFill feature. It’s actually very easy. See below.

Turning off Form AutoFill (autocomplete):

  • Click spanner icon (top right)
  • Options
  • Personal Stuff
  • Autofill
  • Uncheck “Enable AutoFill to fill out web forms in a single click”

If you are even more security conscious, then you might want to consider clearing your Chrome browser cache:

  • Click the spanner icon
  • Options
  • Under the hood
  • Clear browsing data

An interesting ‘Privacy and Security Concern’ statement from the Chromium website “Autofill should not enter information into a text field which a program could potentially read unless the user has implicitly given consent to upload that information such as by selecting an item from a drop-down menu or hitting the submit button.  Otherwise, a sinister person could construct a website with hidden form fields which harvest personal data by getting autofilled.”

Some solutions for managing AutoFill could involve enabling top level Form AutoFill i.e. name, address and email address but with Credit Card AutoFill and Passwords, both could also be automatic (possibly including an expiration date for ‘Autocomplete’ which isn’t the same as AutoFill) but should ask your permission to store the card data and passwords. One major issue I’ve posted about in the past is websites using evercookies to store auto-complete data – believe me some websites do this and you probably didn’t know that did you! You’d need to delete cookies from your system to remove this security issue. Have hackers looked to exploit the AutoFill for credit card and address data? Probably, but Google wouldn’t want to publish this type of vulnerability would they!

I think the statement above says everything you need to know about how careful you should be when using the Google Chrome Auto-Fill feature.

Safe surfing folks!

This entry was posted in browser, google, privacy and tagged , , . Bookmark the permalink.

7 Responses to Google Chrome AutoFill privacy and security issues

  1. Pingback: Google Chrome AutoFill privacy and security issues | News | IT Security Magazine - Hakin9

  2. Steven G says:

    Recently I have discovered that information I never added to my autofil is present when I use the feature. Pacific Home Solutions (a notorious California scam that abuses the Do Not Call registry) has now been listed as my ‘company’ and their phone number has been added to my personal phone numbers. How does this happen? What do I need to do to avoid it happening again and how did this company hack my computer when I have never had any dealings with them or gone to their website? I have run AVG to find any viruses, but is this enough?


  3. Yoshiyah says:

    There is no setting in my Chrome or Gmail settings to cause my autofill to work on email addresses. Absolutely NOTHING you write here exists. There is no wrench to click on and none of the other descriptions exist either. I have been on line for over an hour and no one seems to know what they are talking about. I have three little bars I can click to open other menus and none of it is what you describe. It is Jan 2014. Your info is over three years old and extinct.

  4. Jonathan Plante says:

    I can see other user’s passwords and I can connect to their different accounts and see important information and steal their identity.


    My account gets synchronized (in part) with other accounts even though I try not to.

    At work, when I use a computer that is not mine, I use Chrome, and I connect to my account, I switch person, I create a profile. Extensions are installed, passwords, favorites, and everything.

    When I visit same web pages that other users are also visiting with their Chrome account, I see their username and password. I can connect to their account.

    And, I can’t remove the information. Every time I open those web pages, I can connect to lots of user’s accounts, even to user’s that have not used that specific computer.

    Even on my personal computer that I have not let anyone use, let’s say I open, I can connect to 4 different users.

    Also, for some web pages, when I open it, I never see my info in the username and password boxes. I only see other user’s name and password. I always have to delete their info, then type mine, every time.

    When I’m done using a computer that is not mine, before I close Chrome, I go to settings/Disconnect your Google Account, I check the box “Also clear all history, settings, ….”. But, the other day, we had a power failure and I didn’t get the chance to disconnect my google account. Now, the person that uses this computer has access to my info.

    Our lives are exposed because of Chrome.

    How could they let this happen? We know they are aware of the problem for a long time. They need to resolve it!

  5. jo ann ivans says:

    i clicked auto fill for a rental car application and my name and another persons name popped up as a choice , never entered this person’s name in my computer what is up should i be worried

    • Julian says:

      “jo ann ivans” Does anyone else have access to your computer login credentials? You should change your login credentials if you suspect your account has been compromised.

Leave a Reply

Your email address will not be published. Required fields are marked *