Google is rolling out an enhanced autofill feature for Chrome designed to make filling out online forms faster and easier, security experts are urging caution.
According to Google’s announcement, the new version of autofill will go beyond storing basic data like names and addresses. Chrome will now be able to save and automatically populate sensitive details such as driver’s license numbers, passport information, and vehicle VINs, with Google emphasizing that privacy and control remain central.
“We’ve designed enhanced autofill to be private and secure. When you enter relevant info into a form, Chrome will save this data only with your permission and protect it through encryption. And before filling in saved info on your behalf, Chrome will ask you to confirm, keeping you in full control of your data,” Google wrote in its blog post.
The company also said Chrome can now “better understand complex forms and varied formatting requirements, improving accuracy across the web,” while maintaining that the new autofill will be “private and secure.”
But will it?
Convenience Meets Risk
While Google’s feature promises smoother user experiences, experts warn that convenience can sometimes come at the expense of security.
Nivedita Murthy, Senior Staff Consultant at Black Duck, says that although Google already stores basic information for autofill, the security model around it hasn’t fundamentally changed: “Google already allows you to store some of your information such as full names and address to populate forms easily. However, this information is not stored in a secure format.”
Murthy added that while the feature is useful, “it adds an additional risk in keeping your personal information in one location.” Since Google accounts are widely used for authentication across multiple platforms, a single breach could have cascading effects.
“If your email account is compromised, not only could your emails get leaked, but any personal information that is also stored within that account (in this case: licenses, VIN numbers, passport details.),” she said. “One needs to balance the convenience with the potential repercussions of storing information in a location that is used across multiple platforms with the high-level risk it presents.”
Murthy also suggested that dedicated password managers offer a safer alternative for storing and auto-filling sensitive data.
“Most password managers allow you to store such sensitive information for populating required forms,” she noted. “While there is a risk of the password vault being potentially compromised, it is considerably lower than your email being hacked.”
Security Depends on the User
Jason Soroko, Senior Fellow at Sectigo, agrees that autofill can be “reasonably safe”, but only if the right protections are in place.
“Autofill can be reasonably safe when the device and account are well protected and you stay attentive to what you approve,” Soroko said. “Chrome encrypts saved data and asks for explicit confirmation before filling, which helps prevent accidental disclosure, and you can add a sync passphrase to protect data even if your account password leaks.”
Still, he cautions that no browser feature is perfectly secure: “Any site that receives real numbers can misuse them,” he warned. “The practical safety hinges on your device lock strength, your Google account security, the extensions you install, and your ability to spot phishing pages.”
Soroko outlined the main risks: “These include lookalike sites that trick you into approving a fill, forms that include extra fields to capture more than you expect, overprivileged extensions that can read form contents, malware or anyone with physical access to an unlocked profile, and exposure if your synced account is compromised.”
He also offered practical steps to reduce risk:
- Enable two-factor authentication (2FA) or passkeys on your Google account
- Set a Chrome sync passphrase so sensitive autofill data is end to end encrypted
- Require device or biometric confirmation when prompted
- Save only what you truly need and delete entries after one time uses
- Avoid using the feature on shared or work devices
- Review and remove extensions you do not trust
- Fill only on HTTPS pages and double check the URL bar before approving a fill
- Use Enhanced Safe Browsing for stronger phishing detection
- Fall back to manual entry when a site feels off
Encryption Helps, But Not Perfectly
Boris Cipot, Senior Security Engineer at Black Duck, says that Google’s implementation of encryption and user consent is solid, but users still need to be vigilant.
“As per Google, the stored data is encrypted and only permitted data will be stored and used if needed,” he said. “This means that Autofill will happen only with user permission. Chrome asks the user for confirmation before it populates the form.”
Cipot added that if a user is signed in on a secure, protected device, “the data should be well-protected in general and provide a secure sync via their Google account.” However, he echoed that 2FA or MFA should be mandatory for anyone using this feature.
Still, there are several caveats: “The main concern with Chrome storing and automatically filling in this information might be a device compromise where someone gains access to your device and extracts autofill data,” Cipot said. “There is also the risk of being too fast, consider phishing sites asking you to fill out a form. Google offers to autofill the form and you forget to even check if the form/site is valid.”
He added that syncing across multiple devices introduces another weak point: “The functionality by itself is safe, but the risk lies in making sure that all devices you are syncing to are secure and safe,” he noted. “An additional risk involves browser vulnerabilities. Browsers are complex pieces of software, and they also are prone to occasional security flaws.”
Convenience and Added Responsibility
Google’s enhanced autofill promises a faster, more seamless browsing experience, but with added convenience comes added responsibility.
The feature may be encrypted and permission-based, but as Soroko summed up: “No browser feature is perfectly safe.”
The safest path, experts agree, is a mix of cautious use, strong authentication, and healthy skepticism toward anything that feels even slightly off.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.