I bought some stuff on Amazon, and UPS came to my home yesterday to deliver it - while I was at work, or course. Many times in the past, they simply leave it by the door, but yesterday was one of the times that they decided to be safe and insist on my signature, so they left me a note that they’ll try again. And again I muttered to myself what a wasteful system they have, trying to deliver it when I’m almost surely not home. OTOH, I do understand the risks of leaving packages at the door without a signature. Wouldn’t it be great if they’d let me pick up the package at a UPS Store or some other location? They’d save a decent amount of money (time and effort of the delivery people) and I might get my stuff a day earlier than missing a delivery like just happened!
Apparently, they’ve finally figured this out. On the note they left, there’s an announcement for a new service:
Here are the steps I followed. You can do it too, even if you’re not waiting for a UPS delivery:
[ol]
[li]Go to that page[/li][li]Click on “Sign up now”[/li][li]On the right side, click on either “Get Started” or “Register Now”[/li][li]You’re now at the “Create Login Settings” sections. The first thing it wants is your name, but you can skip that for this demonstration.[/li][li]Go to the second line ,where it asks for your e-mail address. This is the scary part, and is the purpose of this thread.[/ol][/li]It turns out that this field contains a list of many of the email addresses my family has used. Nine of them, actually. If you start typing something in that field, it will show you the addresses beginning with that letter. If you type a blank space, you’ll get the whole list. You’ll also get the whole list if you click in the field twice - even if it is slow enough not to count as a double-click.
This is scary. Where is it getting all these email addresses from? Some of them are real email addresses that I or others in my family have used for actual email. Another is clearly a typing error from once upon a time. Another looks like an email address, but it actually the Netflix login of a relative who never uses email on my pc, but I handle her Netflix account for her.
I don’t think anyone at UPS is nefariously collecting email addresses for evil purposes. But it does bother me that the addresses are being collected and COULD be sent to UPS – or anyone else – for evil purposes.
Here’s my question for GQ: All the above happens in Firefox, but not in Internet Explorer. Is there a security setting in Firefox that I should be setting?
This may be Auto Form Fill, which is a feature of Firefox that stores things you’ve previously entered in a form field, so you don’t have to enter them each time. If so, it’s a feature of Firefox, and doesn’t involve UPS. Here is an article about it, and how to disable it:
Even though it’s only being stored on the computer, it may be a good idea to disable it anyway if you share a computer.
I do understand the concept of auto-fill fields. The reason I’m over-sensitive about it is that this page seems to be using it in an over-extended manner. The very beginning of the page silverfish linked to says (bolding mine):
Yet this is happening on a page that is brand-new, that I’ve not ever visited before. I would not have expected Firefox to allow Website A to access the data that I’ve entered into fields on Website B.
I will read that article in more detail later. For now, it seems that my only options are:
[ul]
[li]Allow all auto-fill fields[/li][li]Forbid all auto-fill fields[/li][li]Delete all auto-fill entries[/li][*]Delete specific auto-fill entries, by using the delete key when they appear on-screen.[/ul]What I’d really like, in addition to the above, is a list of the specific categories (name, email, city, etc.) and the ability to allow some and forbid others. And the ability to restrict it to cases where I’m returning to the same page where I entered it manually (as advertised) would be good too. I don’t care who knows what state I live in, but my street address is a little different.
Website A doesn’t have the information. Firefox has the information that you entered previously on other websites. ETA: In the same way, if you start filling out the form, entering Keeve@aol.com for example, Websight A doesn’t have that information until you submit, even though it’s sitting there in the email field.
True. But once Firefox has done the work of collecting that information and then displaying it on Website A’s page, then it is possible for Website A to retrieve it and save it on their own systems, no?
Just because I’m paranoid, that doesn’t prove they’re not out to get me.
The new page you visited had a Form Field called email. Other pages you have visited also have had a Form Field called email. All your entries for the email Form Field are stored together, because most people find this convenient.
However, the Website you are visiting cannot see that list - they only get the entry that is in the field when you press Submit (i.e HTML POST).
I’m still trying to wrap my head around someone who’s been posting for 12 years, presumably on a computer, and has never run into auto-complete before.
We once had one of our internal QA people insist that our product had a virus in it, and spent several days tracking down and testing everything. We later learned that she had downloaded it with Internet Explorer, and IE presented her with the boilerplate warning about “files from the internet might be harmful to your computer, are you sure?”, like it does with every downloaded file, and she had interpreted that as “this file has a virus”.
We now scan everything with MalwareBytes before we release. Especially the Linux and Solaris builds.
I certainly have used auto-complete many times, but never before have I seen such a big list of email addresses being offered to me. In retrospect that’s probably because I usually begin typing the info in the field, and then auto-complete only shows me the entries which begin with that letter. On this unusual occasion, I must have pressed the down-arrow or space bar and that how I atypically got to see the whole list.
Speaking as a former programmer now, it seems quite possible that a sufficiently-talented person could write such an API without too much trouble. Especially given that Firefox is open-source, thus revealing the location of where this stuff is kept. For the same reason I rarely allow my browser to remember my password. It’s a pain having to type it, but relatively safer.
:smack::smack::smack::smack::smack::smack::smack::smack::smack:
I made an account on this site specifically to reply to this post. The fact that you claim to be a former programmer scares me a LOT. No it would be impossible to do that. What you’re saying about open source is also wrong. You would have to use the browser that was made by the person doing the password stealing. Do you realize how long it would take to spread that version of firefox around? Why would someone use that version instead of going to the firefox website to download it? If you are that paranoid about using the features, disable it; or don’t use the internet. jfc
Someone could write it, but you’d have to load that version of Firefox (or that extension) on your machine before a visiting web-site would be able to use it. Otherwise, when the web-site made a call to “RetrieveAllFormInformationForUseInNefariousScheme”, your copy of Firefox would ignore it.
In simple terms I think it works like this. Any given web form has a name for each blank, it uses that name to distinguish the different blanks from each other. If the name is something obvious like “customerEmail” then Firefox/Chrome/whatever browser helpfully retrieves what you have entered in blanks with that same name before, whether it’s on the same site or another site. Chrome seems more aggressive about it than Firefox.
I think I need to learn more about what viruses are / aren’t capable of doing. It sure seems like a good virus-writer can install and run just about anything that I could. Let me phrase my question like this:
Suppose I get an email which says, “Click here to see a pretty picture.” Further suppose that if I do click it, then in addition to showing me a pretty picture, it will also install some malware. That sort of thing happens all the time, right? Now, I’ve gotten the impression that lazy programmers need me to actually click on that spot, so that the computer will think that I’ve okayed the installation or whatever, but if I don’t click, then the email is harmless, and that’s why we are warned not to click on stuff. But that’s the lazy virus writers. The really good ones (or, the really evil ones, I mean) know how to install this stuff even without me clicking on it. That why we are also warned not to even OPEN an email if we are suspicious about it. Because even opening it and allowing it to appear on the screen could be bad.
Am I making a mistake somewhere in that paragraph? Isn’t it true that bad people are able to see what’s on my computer?
(If anyone wants to respond, “Well, technically, yes, but then NOTHING on your computer is truly safe” - then you have a good point. But my personal files are mixed in with all sorts of stuff, with folder names and file names that I set up myself. In contrast, anything saved by Firefox would be in a somewhat well-known location and format. Right?)