Autofill on the Chrome browser is handy but there are security holes, says Google.
The tech giant said this week that the next version of the Chrome browser, coming in October, will try to stop users from completing forms on secure pages that are submitted insecurely.
The issue at hand is seemingly secure HTTPS websites (web pages that begin with “https” and show a closed lock icon to the left of the website address). Sometimes, these sites can contain forms that are not secure and ask a user to fill out sensitive personal and financial data.
AMAZON'S ALEXA HAD SERIOUS PRIVACY FLAWS, RESEARCHERS SAY
“These ‘mixed forms’…are a risk to users’ security and privacy,” Google said, adding that “Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data.”
Users, for example, get a warning about Autofill, a widely-used Chrome feature that fills out forms automatically with saved address or payment info.
If you begin filling out a mixed form, you will see a warning alerting you that the form is not secure and that Autofill has been turned off. If you go ahead anyway, you will see “a full page warning” about the risk and confirming that you’d like to submit the form anyway.
Before version 86, the only heads up users got was the removal of the lock icon from the address bar, Google said.
ONLINE FRAUD IS SURGING: FIVE FACTS YOU PROBABLY DON'T KNOW
“We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms,” according to Google.
"Without this new feature, a user would have no idea that they are leaving themselves open to having their potentially sensitive information stolen by malicious actors," Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, Calif.-based provider of application security, told Fox News.
Google noted, however, that while Autofill will be disabled, on mixed forms with login and password prompts, Chrome’s password manager will continue to work to help users input unique passwords.
“It is safer to use unique passwords even on forms that are submitted insecurely than to reuse passwords,” Google added. Reusing passwords across different websites is a big no-no that Google has warned about previously.
Making forms more secure is part and parcel of Google’s efforts to step up security on sensitive data. The company announced at the end of July that users can confirm their credit card now with biometrics.
Currently, if a user saves their credit cards to their Google Account, Chrome asks the user to confirm their credit card by entering its CVC before the full credit card number is autofilled into a form.
“Going forward, Chrome will allow you to enroll your device to retrieve card numbers via biometric authentication, such as your fingerprint,” Google said in July.
Users still need to provide your CVC the first time they use their credit card. Following that, users can confirm their credit card using biometric authentication – avoiding the hassle of pulling out a wallet and typing the CVC every time.
Biometric authentication is optional and users can turn this feature on and off in Chrome Settings.