macOS and iOS: How to Turn Off Safari Autofill

This weekend, headlines were made when research found new techniques used by advertisers. It’s a way for ad targeters to track you using your browser’s password manager. Two scripts—AdThink and OnAudience—obtain information that can identify you from autofill forms. Here’s how to turn off Safari autofill on macOS and iOS.

Which Password Managers?

1Password took to Twitter to reassure users, saying that the password manager is immune to these types of attacks.

Another popular manager, LastPass, hasn’t given any information (that I know of) about this attack. But these password managers tend to work similarly, so I’m guessing that it too isn’t affected.

Safari autofill attack process.
The attack process. Credit: Freedom to Tinker

The scripts work by injecting invisible login forms in the background of a website. When your browser automatically fills in data, it collects that information. It can be used as a persistent ID to track people throughout the web. While they largely focus on usernames, there is nothing stopping them from collecting passwords too.

Turn Off Safari Autofill

People who use third-party password managers aren’t affected. If you rely on iCloud Keychain, the scripts may end up collecting your data. But it’s easy to turn off autofill.

macOS

On your Mac, open Safari and go to Safari > Preferences. When the preferences box appears, click on the Autofill tab. Uncheck the box next to user names and passwords.

Safari Autofill preferences in macOS.

iOS

On your iPhone or iPad, go to Settings > Safari > Autofill. Turn off the switch next to Names and Passwords.

However, if you prefer to use iCloud Keychain instead of paying for a password manager, you can use an adblocker to prevent tracking by third-party scripts. The researchers note that the two domains used to serve the scripts (behavioralengine.com and audienceinsights.net) are blocked by the EasyPrivacy blocklist.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.