There are people that have written things to steal the auto-complete list but they require you to interact with the browser to step through each entry. Basically they create a little game and every mouseclick in the game captures the next entry and because they setup the auto-complete field to be hidden from your view you don’t see what is happening.
Interesting. I really did not realize that the pcs are that secure that they can’t do this without the victim participating somehow. I’m grateful, but surprised. Are the warnings about malware overblown?
Actually, all the autocomplete stuff is stored in a database file named formhistory.sqlite somewhere in your firefox directory. It contains one table “moz_formhistory” and can be read with a single sqlite3 command “select * from moz_formhistory” (on linux anyway, I don’t know windows). If you get malware, it could easily read that file. While the data is readable, it doesn’t seem to be very interesting. The only things I see in mine are my name, address and phone number, google search terms and a LOT of crap. Malware could probably get more juicy info from reading your email or browser history than trying to sort through the garbage in the autocomplete file.
I never said pc’s are that secure. Of course warnings about malware are not overblown.
Are you being serious? (I really can’t tell)
My post was merely related to the ability for a web page to get at the list - if you have an arbitrary program running on your system then yes, of course it can read that data.
I had to check the thread date. I was sure that this must be a zombie from 1999 or something.
This thread is awesome. Keeve, may I ask what your actual former programming experience is? I’m not gonna lie to you, I’m laughing a little at your understanding of auto-complete functionality. But I promise you I’m doing it in the most good-natured and non-dickish way possible. 
What UPS doesnt tell you while they are sucking you into filling all the forms, is that you will then have to pay $40 a year if you want any of the following services:
Manage and track all your home deliveries with a convenient, online calendar
Designate where you would like our driver to leave your package (e.g. back porch)
Get a confirmed two-hour window for home delivery
Reschedule the delivery of a package while you're on vacationEven if you don’t submit the form, if you fill out a text field (or accidentally click one of the auto-complete entries), isn’t it possible that some rogue javascript would capture what’s in that text field and send it off? (But even that’d still just be one email address at a time, not the entire cached list.)
If someone could write a virus that can steal everything in your autocompletes, why couldn’t that same malicious programmer also just write a virus that steals all the information that is stored on or passes through your computer? I mean, you use your computer for information that’s a lot more valuable than e-mail addresses. Like, for instance, the credit card number that you used to place that order on Amazon. If you’re so paranoid about this, why were you willing to type that into your browser?
Thanks, I appreciate it. From the early 80s to early 2000s I worked for several software houses on business applications - order entry, invoices, inventory, A/R and A/P. It was all in various versions of Basic, up to and including VB6. I wasn’t great at keeping my skills up to the market, and the switch to VB.NET knocked me out. All my experience involves one person entering/retrieving data from the system; nothing regarding interactions with other users, certainly not peering into other computers.
So, although I admit to being clueless about the abilities of 21st century viruses, I was fairly average for the late 20th century. (I still have a printout of a memo I wrote to my boss in 1985, about what would later be known as the Y2K problem.)
You are totally correct, and I explicitly addressed this point in my last paragraph in post #20 above. Basically, it is my hope that the credit-card number is in a very-temporary file, and gets deleted shortly after the transaction is complete. That doesn’t bother me as much as a list of information permanently stored in an easy-to-find place in my computer.
Yes, it’s untrue that you must submit the form in order for a site to read what you’ve typed into it (or what you’ve selected from the autocomplete menu) if you have javascript enabled. It can’t automatically pull stuff out of the autocomplete menu; the act of choosing it from the menu puts it into the field just as if you had typed it, and then the javascript on the page could see it and transmit it to the server without you submitting the form.
I do wonder about this. I don’t recall seeing my credit card number in an auto-complete box. I’ve seen email address, my username and password, my real name, my city, my zip code, but I don’t think I’ve seen my CC number.
I have, and it’s poor coding on someone’s part.
Most website creators are smart enough to disable autocomplete for CC fields (it’s a “autocomplete=off” setting they have to remember to use). Otherwise you get what Telemark experienced.
I’m not sure this is true. What if you get a keylogger program? After the infection, it gets whatever passwords you type. But if you use your browser to store passwords, all you’re typing is your browser password, which is useless to anyone without your computer.
In Japan, for a small extra fee, Amazon.co.jp is able to deliver certain products to local convenience stores for collection.
Well, you’re trading one risk for another. If your computer is infected, the malware could just as easily steal your entire saved password file as it could log your future keystrokes. Or both.
Doesn’t autocomplete in general actually make you safer from a keylogger?
Let’s say my email address is [noparse]abc@gmail.com[/noparse], sure, if I type that whole thing in then they’ll see my email. But if I’ve been using autocomplete the keylogger will just see
ab<DOWN ARROW><ENTER>
Hell, storing all your passwords in plaintext on your computer makes a keylogger almost useless, all they’ll ever see you enter is Ctrl+C, Ctrl+V.
Unless I’m taking “keylogger” too literally and modern keyloggers do more than their names imply.
I use the same yahoo webmail email address with facebook, and anyone I send an email to or receive one from shows up as a potential friend in facebook!
This really creeped me out the first time I said where did all these people come from?