Vulnerability Name: AutoComplete Attribute Not Disabled for Password in Form Based Authentication
Most modern web browsers allow storing of the username and password in web authentication forms.
This was not always the case. Why does this occur now?
There is a vulnerability concern that an unauthorised user can click through a web authentication form that has data filled in by autocomplete. Thus gaining access to sensitive data.
How can PPM and other products be safeguarded from this type of use?
This is general advice for any web software, on most browsers (Chrome, Firefox, Edge, Safari, Internet Explorer etc).
The specific query originated from CA PPM, for any version.
Resolution in Brief
The following findings have come from a review by Broadcom Software Engineering in ticket DE51852.
1) Browsers have moved towards allowing the saving of username and passwords as a standard.
This functionality is working as expected in PPM. This is not something that will be addressed further in product, as control rests with the browser environment.
2) Individual users may disable password saving at the browser level.
They may also secure access to the browser/browser data by other means.
These approaches work with PPM if required.
For PPM, the flag "autocomplete=off" is already set at the form level, in the login page.
However, by design many browsers will not honour this setting. They will still prompt for saving the credentials. This occurs at the browser level, and so applies to many products, and not only PPM.
This page Mozilla Developer Network covers the theory well for many modern browers: How to turn off form autocompletion. In particular this section:
The autocomplete attribute and login fields
Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.
Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.
Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.
This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).
That page also has a workaround at the section "Tools for disabling autocompletion," however it notes it is not a complete solution.
The page also covers editing the form to preventing autofilling with: autocomplete="new-password"
However, it notes again that not all browsers honour this.
Solutions on a Per User Basis
1) This issue arises when an attacker has access to the browser with the autocompleted information.
Standard methods of securing this page from unauthorised access, such as securing the operating system with a login password and timeout on inactivity or an o/s logout by the user, prevent many such opportunities.
2) Password Managers have also become a lot more common. Users with a password manager may avoid this issue. By design, they encourage higher security passwords, with less re-use, and may have features to avoid this scenario of password autocomplete. They also allows better site specific control, in addition to "all on" or "all off."
3) The recommended solution for a shared environment, in combination with the above, is for users to request their own browsers not to save passwords.
For example in Chrome the "Offer to save passwords" option may be turned off by the users: Manage passwords.
By default, Chrome offers to save your password. You can turn this option off or on at any time.
See Additional Information for links to other sites which cover many browsers.Turn off the built in password manager in your browser
Turning off Password Management on Different Browsers
These are but two of many pages on the internet offering advice on disabling autocomplete for user passwords against Edge, Chrome, Firefox, Internet Explorer and Safari. If you have a different browser, search for that browser name and key words such as "disable password autocomplete".
Background Information for Developers
You can find similar advice by searching the internet for phrases such as "How to turn off form autocompletion +developers". For example, a similar discussion pages have been raised specifically for Chrome in this thread, with comments and suggestions which overlap the above Mozilla Developer page: Programmatically disabling Chrome auto-fill