Severity:
High
Context:
The login form currently allows device autocomplete, which can fill the username automatically.
For security reasons, this should not be allowed, especially on shared devices.
Steps to Reproduce:
- Open the login page on any device.
- Use the device autocomplete to fill the username.
- Enter the password manually.
- Click Login.
Expected Result:
- Ā App blocks autocomplete for the username.
- Users must enter their username manually to prevent misuse.
Actual Result:
- App accepts the auto-filled username.
- User can log in without typing their username manually.
Impact:
- Security risk: credentials could be used by unintended users.
- Violates best practices for secure login.
- Could lead to unauthorized access on shared devices.
Suggested Fix:
Ā Set autocomplete=”off” for the username field.
– QA tests to ensure autocomplete cannot bypass login rules.
– Educate users about manual entry requirements on shared devices.
Lesson learnt:
āConvenience is great until it becomes a security hole!ā
Letās connect! I share common bugs, solutions, and QA tips regularly.