Chrome autofills passwords fields with autocomplete=off in iOS

UPDATE: This has since been fixed in Version 36.0.1985.49

Back in November last year Google rolled out Chrome Autofill features to their iOS app, an update that brought the capabilities inline with their existing Android app. The feature allows users to complete forms with just one click.

Within it’s current stable version on iOS (35.0.1916.41) we’ve discovered an issue where Chrome will save passwords entered into fields to Auto Fill suggestions when the website offers a plain-text option for password retries.

We’ve tested this on the mobile version of Facebook (m.facebook.com) from both the standard version of the browser and incognito and have had the same result. When you input your password incorrectly you are prompted to login again with an asterisk-free plain text version. This password is then saved to Auto Fill suggestions so when you eventually logout, when trying to log in again your password will be displayed as a suggestion for that field.

Chrome is ignoring the autocomplete=off attribute that Auto Fill seems to ignore when websites offer plain text password fields for users second attempts.

The issue also exists within incognito and we’ve reported the bug within Chrome.