Hi,
First of all I think the new Universal Login is a big improvement over the Classic login using lock.
But there were a few findings out of a pentest we requested, one of the vulnerabilities/findings was that the password field had autoComplete="current-password"
set instead of autoComplete="off"
.
One of the risks is for example if the application has an XSS vulnerability, an XSS payload could be crafted that abuses the autocompletion feature to steal the user’s stored password. It is a low risk becasue there has to be an XSS vulnerability, but it is still a risk.
Is there a possibility to set this off by default or add a feature to disable it?
Thank you.