Wednesday, April 17, 2019

Safari Auto-Submitting AutoFilled Passwords

Steve Troughton-Smith:

Safari’s new ‘submit form as soon as you choose from the autocomplete list’ is the quickest way to get locked out of your bank ever. As a universal default, that seems like such a bad idea

[…]

(I think the key part is that it doesn’t consider what happens if the autosaved password is wrong, and so will blind-fire at the site before giving somebody a chance to change it)

This has bitten me several times.

Kyle Howells:

That same sort of ‘presume we are always right’ problem happens with the new password autosuggestion, which covers over the password field and doesn’t let you edit the suggested password anymore.

If it guessed the password requirements wrong you can’t fix it.

Update (2019-04-18): Colin Cornaby:

I hate the way this bypasses the “Remember Me” checkboxes if you didn’t check them before autofill. From Apple’s end I’d guess the lack of cookies and cached logins is probably considered more secure though.

Andrew Abernathy:

As pointed out here, this behavior makes me much more worried about getting locked out of an account.

But beyond that, I dislike the interaction: there’s a “sign in” button on the page, and this preempts me from clicking on that in a way that doesn’t feel “right” to me.

Update (2019-05-01): Dave DeLong:

I generally really really like Safari and have very few complaints about it.

However.

rdar://problem/50369660 “Safari: STOP AUTOSUBMITTING PASSWORD FORMS”

Update (2019-08-20): Andrew Abernathy:

Oh, that’s why I’ve been having to sign in to this web site every time: Safari’s autofill prompt covers the “remember me” checkbox, and Safari’s new behavior of auto-submitting credentials meant it signed in without giving me a chance to notice & check that box.

Update (2020-04-23): Jeff Johnson:

The good news is that StopTheMadness 8.0 can stop Safari from automatically submitting login forms. There’s a new website protection called “Stop autosubmit of autofilled forms”. This is disabled by default, so you’ll need to enable it manually in the StopTheMadness Website Protections. You can selectively enable the protection for individual sites, or you can enable it in the Default Website Protections for all sites. With the new protection enabled, Safari will no longer automatically submit forms. Instead, StopTheMadness will display a confirmation that asks whether you want to submit the form or cancel. If you cancel, then you can make changes to the AutoFilled form and submit manually. Note that when the confirmation is displayed, you can press the return key to submit or press the escape key to cancel if you want to avoiding clicking a button.

7 Comments RSS · Twitter


I thought they had recently changed it so other password managers could not do this (i.e., 1Password could no longer do this).

It is mentioned near the end of this article:
https://blog.1password.com/1password-7.2-for-mac-welcome-to-the-dark-side/


Even worse now you don't have time to check "remember me" checkmark on the next line after the password. Who made this?


It also breaks logging in when there's a captcha verification required alongside username/pass. Ran into this problem already, and logging in fails endlessly despite using the correct password.


I have several accounts for Amazon and Paypal. I hope this wouldn't mean that I get aito-logged into one of them without being able to choose which one? That'd be catastrophic if I'd pay/buy things on the wrong account because of this.


@Thomas No, it happens after you choose which one.


The one that gets me regularly is the 2FA "SMS me a code". I click that, and then the field comes up to enter the code, and Apple offers me the existing codes (useless!). But then the message with the code arrives and Apple cleverly detects it and offers to fill it (hooray!). But when you click on it, it fills it and removes it from the prefill list, which moves the previous entries up under the mouse and immediately fills the previous entry. Sigh. A perfect example of how to snatch defeat from the jaws of victory!


This has been in STP for some time (couple of months at least). Seems to me its a bad idea. I really hate it.

Leave a Comment