6.3.8 Audit AutoFill

Information

AutoFill capabilities in a Web Browser are a feature to allow a user to avoid re-typing the same user information in every form that a user encounters. Part of the modern internet consists of vendors establishing a seemingly close relationship with as many users as possible to market to them, data-mine from them and sell their data to third-party data aggregators. AutoFill can be a method for a user to share too much information with untrusted website owners. Many security professionals advise disabling autofill to reduce the risk of over-sharing. These security professionals appear to believe that manual data entry is better, since completing the required forms are often the only method to connect to needed data. The best method for security is to ensure that the data ready to be auto-filled is an acceptable risk to sites a user interacts with. Users must review what data they accept the risk to share.

Auditing and accepting information a user is willing to share prior to loading the blank form is the best way to manage risk.

Solution

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.Safari
- The key to include is AutoFillFromAddressBook
- The key must be set to: <<true/false>/>
- The key to include is AutoFillPasswords
- The key must be set to: <<true/false>/>
- The key to include is AutoFillCreditCardData
- The key must be set to: <<true/false>/>
- The key to include is AutoFillMiscellaneousForms
- The key must be set to: <<true/false>/>

Impact:

A user could overshare information based on trusting a site more than required.

See Also

https://workbench.cisecurity.org/benchmarks/18636

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|SC-18, CSCv7|7.1

Plugin: Unix

Control ID: 381b93d7f56b79ccc9cd683e76beadc4709b81baf59e60af3390c3813bfd75e5