ObXKCD
https://xkcd.com/1834/
Auto-completion systems that attempt to finish your sentences when typing text messages or search queries can be a mixed blessing. Often, they save time. But they can also get in the way when they make incorrect guesses about intended input. In the context of software bug reporting, however, auto-completion – adding additional …
Google, autocomplete, bug reports, and mixed blessings. Hmmm, that reminds me of something I discovered a week ago, reported to the android team and was told it was a browser problem.
On an android phone...
1) Fire up chrome.
2) Go to mail.google.com (if you don't have a gmail account this will have to remain a thought experiment for you).
3) Sign in. Sign out. Shake it all about. Repeat a few times.
4) Go to mail.google.com. Note that it helpfully knows who you are (not so helpful for you if somebody has nicked your phone, because now they know your e-mail address) but don't sign in (yet). Well, there is a "sign out completely" option, but how many people bother with that? Maybe a few more now I've posted this.
5) Click on the "show password" icon (the eye with a line through it).
6) Now enter your password. Note how the autocomplete shows up. Watch, as you enter more characters of your password, how the autocomplete homes in on your password. If you have non-alpha characters near the start of your password the full password shows up in the autocomplete very quickly.
Whoops! The sign-in not only gives away your account's username (if you can't be arsed to sign out completely each time), it drastically reduces the entropy of your password. Paradoxically, the stronger your password (with several non-alpha characters) the more entropy it discards.
Very secure.
I wonder if there's an API for apps to interrogate the autocomplete dictionary. If there is, a malicious app (which could pass all playstore security tests) could drastically reduce the search space for your password. Especially if you've used a good password. How often does "k*hr}39rq" occur in ordinary text? Damn, now I have to change my gmail password.
Firefox is worse. Click on the "show password" icon and it shows your full password in a browser-generated autocomplete box (as well as popping up the soft keyboard autocomplete) without you having to type anything. Assuming you've previously logged into gmail using firefox, of course.
The android team tell me this is a browser issue, not an android one. I've repeated this test with IE on Linux and Windows, Edge on Windows, Chrome on Linux and Windows, and Konqueror on Linux and none of them exhibit this flaw. None of them exhibit this flaw because the Linux and Windows systems I tried it on have real keyboards, not a soft keyboard with autocomplete.
Since the android team tells me it's not an android problem, there's no reason why I shouldn't post the details here. At least that way some people get to learn there's a security hole in the thing. If any of you can be arsed to contact every browser app for android (there are a lot of them) then be my guest.
I expect responses telling me I'm an idiot and it really is a browser flaw. Or a gmail sign-in page flaw. Maybe you're right. After all, it's not like android, gmail and chrome are all produced by the same company whose development teams ought to have lines of internal communication unavailable to the rest of us. It's unreasonable of me to expect that informing one member of the triad of such a problem would result in them communicating internally to figure out what they could do to resolve a problem which seems to arise because of the interaction of all three of their products.
It's a good job I use the lock screen and have a decent password on that. The short time-out I set can make it a real pain to use sometimes, but it's necessary.