S2member Pro Stripe Secret Key field bug in Chrome

s2member (Pro) > Stripe Options page has an input field for Stripe Secret API Key.
The secret key is obfuscated by dots, just like when you enter a password.
The developer has achieved that with a ‘shortcut’, declaring the field a password.

The admin frontend HTML for that field looks like:

<input type="password" autocomplete="off" name="ws_plugin__s2member_pro_stripe_api_secret_key" id="ws-plugin--s2member-pro-stripe-api-secret-key" value="MYSECRETKEYHERE">

We can see the developer has declared an input type=“password”. This encourages your browser to autofill your known WordPress website admin password into the field. The developer must be aware of this, as they have then declared the correct autocomplete=”off” setting to discourage/prevent browsers from doing this.

However, currently at least, Chrome does not obey this standard, and on opening the page will auto-insert the admin password of the admin user.

This will result in payment failure as your admin password =/= Stripe secret key. Users will get an error: “Invalid Stripe API keys; please contact the owner.

Suggest one of three solutions:

  1. Obfuscate this field using different methodology
  2. Try new values autocomplete=“false” and recently autocomplete=“chrome-off”, as since April 2020 Chrome might obey this.
  3. Workaround: create a dummy field. Place a second type=“password” input field before the Stripe one and hide it from user. As Chrome will only autofill the first password field it finds. Have to be careful how you find fields, as since 2018 Chromium ignore display:none; fields and whatnot.

Cheers, Andy

1 Like

Nice catch @AndyGWD.

This issue appears not to be limited to Chrome. See MDN explanation and workaround

@clavaque - minor code change…switch from autocomplete="off" to autocomplete="new-password"

Note that anyone who administers a system should have browser auto-fill disabled for obvious security reasons.

Interesting question is whether password managers have the same issue.