tedster - 3:29 pm on Jul 23, 2010 (gmt 0)
No, sorry to say, that's not enough because the visitor doesn't actually see this hack happening on the screen. You've got to turn off the auto-complete function completely. Or better still, don't have any real data available for the browser to use.
This particular stew is getting thicker - there's a similar vulnerability in IE6 and IE7. See IE and Safari lets attackers steal user names and addresses [theregister.co.uk]
In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.