Helping people with computers... one answer at a time.

Autocomplete, or "suggestions" made when filling out a web form can be misleading, even frightening, until you realize where the suggestions come from.

I need your help with a problem I am having with Amazon.com. Yesterday, after selecting an item to purchase at check out, I was required to sign in. When I entered my first initial, the drop-down menu of my email address appeared. However, there was also an email address which is unknown to me. I contacted Amazon by phone, but I was disconnected. My question is: How did someone gain access to my account on Amazon's website to enter an unauthorized email address in the first place? I thought Amazon's website is secure.

I thought about sending an email to the unauthorized email address, but decided that it might open my computer to something worse. Is there any way to find out where this email might have come from?

Believe it or not, this actually has absolutely nothing to do with Amazon.com or whatever site you might be logging into. Amazon wouldn't have been able to help you even if you had made contact.

To be even clearer: the appearance of that address in the Email field does not mean someone gained access to your Amazon account.

To understand where that email address did come from, we need to understand just a little bit about how your web browser works and the teeny, tiniest bit about HTML.

It's not scary. Really.

Entering data on web pages

Let's use an example. Here's something that you might see on a typical login screen:

Email address:

In order to put that on a web page, such as this one, the web page author actually writes something like this:

Email address: <input type="text" name="email" size="30" />

That whole thing beginning with "<input" is the way that web page authors tell your browser, "I want a box here into which the user can type text; it should be 30 characters wide and will have a name of 'email'."

“Remember, it's your browser - not the website - that's doing this.”

Then, when you click on the corresponding Submit or Login button, the web browser sends to the website something that says, "Here's what was entered in the input field named 'email'."

You'll notice that most of that stuff you never see unless you look at the actual HTML encoding of a web page. In particular, you never see what name the web page author has chosen for any given field.

But conceptually, it's all pretty simple; there's a box that you type into and the website author can give that box a name.

It's important to realize that the name can be anything. I could use name="leos_corgi" and as long as the web server that was destined to receive that information expects something called "leos_corgi", then it works just fine.

As we'll see in a moment, though, there's at least one really common name.

Browser auto-fill

The first thing to realize is that it's not the website that's providing that list of email addresses - it's your web browser: Internet Explorer, Chrome, Firefox, or whatever it is you're using.

Essentially, all that the browser is doing is saying, "Oh, here's something that looks like something the user has entered before - I'll provide a list of what he's entered before so he can choose from that list instead of having to type it in all over again."

Remember, it's your browser - not the website - that's doing this.

So, where did the browser get that list of email addresses to show you?

That's where things get interesting.

A field by any other name

As it turns out, Amazon's email address field - the one that you type into to login - has this in it:

name="email"

In fact, it's extremely common for websites that ask you for an email address to give that box the name "email." They don't have to name it that, but it's such an obvious fit that the majority of websites that ask you for an email address will give that box the name "email."

Heck, even here on Ask Leo! if you ask me a question, the form that asks for your email address uses the name "email."

Here's the secret: your browser doesn't distinguish between boxes named "email" on different sites. To the browser, they're all "email."

So an address that you enter into one site - say my ask-a-question form - might then appear later as a suggestion for auto-fill on another completely unrelated site - like Amazon.

And it's all because we both elected to name the box where you type your email address the same thing: "email".

Watch it in action

Here's a very simple test to show it in action:

Email address:

Enter a bogus email address into the box above and click Submit. Your browser only actually remembers when the field that you've typed into has been submitted to a website. Don't worry - that Submit should bring you back to this webpage on the Ask Leo! website.

Now, go to Amazon.com and go to their login page (you may have to logout first).

In the Email field, type the first character or first few characters of whatever bogus email address that you entered above. If your browser supports auto-fill the way that most do, you should see that bogus email address that you typed in on this page above as one of the suggestions for your Amazon sign-in.

Bogus email appearing in Amazon login

Simply because both Amazon and I used the name "email."

So where'd that bogus entry come from?

The natural next question to ask then is where did that bogus email address on your Amazon login come from?

I have no idea.

What I can tell you is that it was almost certainly typed into a field named "email" on a web page somewhere that your web browser visited. It could be any website. As you saw above, it doesn't have to even be a login - just a web page with a field that someone typed into that happened to have the name "email."

How do I get rid of it?

This varies by browser.

The option to look for is typically referred to as "auto-fill," or in some cases, relates to "form data."

It's much like clearing your browser's cache, except that you want to clear your browser's memory of what's been entered into the forms that you've submitted to the website.

In Internet Explorer, that's Tools -> Internet Options, in the General tab, under Browsing history. Click the Delete button there.

Delete form data option in Internet Explorer

Make sure that the "Form data" option is clicked (along with whatever else you might like to delete while you're here), and click Delete.

Now, the browser will make no suggestions the next time that you encounter an entry field like "email."

But it will start over, once again remembering the email addresses that you've typed in so that it can provide them as suggestions that you can quickly click on instead of having you re-type them the next time you encounter an entry field with the same name as one you've entered before.

You know, like "email."

Most of the time. Some websites can, and do, use extensive Javascript to provide a more highly targeted auto-fill feature. Gmail's a great example when you're composing a message and filling in email addresses. The vast majority of websites, however, simply allow the browser to provide the auto-fill functionality that we're talking about here.

Article C5059 - January 31, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Douglas Brace
January 31, 2012 6:57 PM

Something to consider related to these boxes is that it is insecure to have your web browser remember your saved username and password for a website.

Why? Because the username and password that your web browser saves for a website isn't encrypted.

As far as I know, Internet Explorer (all of it's versions) doesn't make it possible for someone to view this information using native Microsoft tools. Google Chrome and Mozilla Firefox have the ability to view this saved information in it's "Options" or "Preferences."

However, this data in Internet Explorer can still be accessed using third-party free software. For my job and the side work that I do, I routinely need to recover this information. I use and recommend a piece of software written by NirSoft called "IE PassView." Like other pieces of similar software, in the wrong hands, is tool can be dangerous but it can also be a life saver for someone that forgets their username and password.

http://www.nirsoft.net/utils/internet_explorer_password.html

icemanX
January 31, 2012 7:25 PM

for what I do I use email alias's

example I sign up with say here and I use say
ask-leo.com@

[Leo can see by my email address (not shown) how I do it]

or using say ---> microcrap.com @ ask-leo.com

this way, anytime I am inputting a new signup email address needed
I will know if I have used or entered it before on a site!

saves a lot of time for me

but you have to look at how your email addresses are, if you dont have a domain to use
you can buy one - sorry I cant let you know what else you can use or I would

have a nice day

Jen
January 31, 2012 7:27 PM

A simpler way to delete just one items from the list would be to highlight the one you want to get rid of, right-click and then select delete. The other email addresses in the list will not be affected.

sVen
February 3, 2012 8:41 AM

The writer said they saw an email address which they didn't recognize. If they are the only user of their computer, it means someone else accessed it and typed in an email address. Maybe it's a computer shared by a couple, a family, or some other group, but if not, I'd want to know who was on it.

Gabe Lawrence
February 3, 2012 9:50 AM

I noticed that on Amazon's site, they have two areas to log in. The screenshot that Leo shows is the main login (when you click the "sign in" link at the top LEFT). That one doesn't give me the drop down. However, if I click the "Your Account" link in the upper RIGHT, the email field on that page will display a drop-down. I'm using IE9 and I suspect that has something to do with what I'm seeing. Just FYI.

Hilary
February 4, 2012 3:44 AM

Leo, honestly, I have only once had auto-complete input a stranger's name, and that was back in XP days, and the machine I bought was (I learned) sold unbeknownst to me refurbished. Auto-complete absolutely inputs my personal data (Firefox is awfully temperamental about it, though); I just haven't had this experience since the early days of e-commerce.

Ken
February 4, 2012 10:31 PM

Is there a way to make IE9 and Chrome not keep form data in the first place. Deleting the form data seems to be closing the barn door after the horse has left the barn.

Mark J
February 5, 2012 3:47 AM

@Ken
In Chrome click on the wrench icon in the upper right and choose "New incognito window" or click ctrl+shift+n

In IE9 click on "Tools" and select "In Private Browsing" or click ctrl+shift+p

Glenn P.
February 6, 2012 8:44 AM

You never have to worry about strange auto-complete E-Mail addresses showing up, if you turn off auto-complete in the first place.

Just a thought!     :)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.