security - How safe is it to use Selenium to auto-fill forms with sensitive information

Question

Selenium is usually used for testing. But what if someone decided to use it to autofill forms on websites with personal data(username, password, credit card number). How safe would that be?

I mean the actual part where you call the driver object and pass it all this secure information. Let's assume the information is securely stored until the moment you pass it to the driver.

I wonder if that's what websites that aggregate your credit card and bank accounts use instead of api calls(running a headless browser in the backend to log in to personal profiles).

Answer 1

While using Selenium as mentioned in the Security section within WebDriver - W3C Recommendation the only security concern is that:

A user agent that rely on a command-line flag or a configuration option to test whether to enable WebDriver, or alternatively make the user agent initiate or confirm the connection through a privileged content document or control widget, in case the user agent does not directly implement the HTTP endpoints.

It is strongly suggested that user agents require users to take explicit action to enable WebDriver, and that WebDriver remains disabled in publicly consumed versions of the user agent.

To prevent arbitrary machines on the network from connecting and creating sessions, it is suggested that only connections from loopback devices are allowed by default.

The remote end can include a configuration option to limit the accepted IP range allowed to connect and make requests. The default setting for this might be to limit connections to the IPv4 localhost CIDR range 127.0.0.0/8 and the IPv6 localhost address ::1.

The generic solution was to distinguish the user agent session that is under control of WebDriver from those used for normal browsing sessions. Snapshot of visually distinguishable WebDriver driven user agent: