Auto-fill browser functionality can override API keys for reCAPCTH and block Admin Panel access

[sdzhepa]

If the Admin login is saved in Chrome, the login becomes the default values for the Google reCAPTCHA  Website Key and Secret Key. As a result, it is possible (and very easy) to lock all users out of the Admin by setting Security > Google reCAPTCHA Admin Panel  > Admin  - Enable for Login to "Yes."

1. At some point in the past, the Admin login was saved in Chrome. As a result, the login becomes the default values for the Google reCAPTCHA  Website Key and Secret Key. 
2. The user goes to Security >  Admin Panel and sets Enable for login to "Yes," without properly configuring the Google API Website Key and Secret Key, and saves the configuration.
3. After logging out, the user cannot log back in, and all other Admin users are locked out.

Note

We were able to fix this from the command line:
 bin/magento security:recaptcha:disable-for-user-login
 

Posible solution

Use autocomplete="off" to turn off form autocompletion

Additional information

• Internal jira ticket: MC-34718
• Regression bug for 2.4.0
• Priority: P1
• Severity: S1

[m2-assistant]

Hi @sdzhepa. Thank you for your report.
To help us process this issue please make sure that you provided sufficient information.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[engcom-Foxtrot]

@sdzhepa
It seems like the "autocomplete" attribute has no effect on such behavior. I've tried with "off", "false" and "new-password" values and nothing changes: