Browser Autofill Phishing Using Hidden Form Fields – Beware and be Safe

If you’ve been using your web browser’s autofill on every website you visit, then here is some important news for you. It has been found that the web browsers such as Chrome, Safari or others that support multi-form autofill can be tricked into giving away your information, even the Credit Card numbers, their expiry dates and the CVV codes to websites.

How the phish works?

A phishing site may have visible form fields or text boxes to collect basic information such as user name and email address. In addition, the site will have other form fields configured to remain hidden on the web page, using negative margins or possibly other CSS methods. When you use auto-fill to fill up the visible form fields, the hidden form fields will also get their respective data.

Finnish web dev and hacker Viljami Kuosmanen has discovered this vulnerability. He has also set up a demo site where you can see how the phish works. Visit his GitHub project page for more information.

If you look at the demo webpage’s source code, you can see that the additional form fields exist on the web page, but they don’t appear on the screen. Once you fill in the innocent looking “Name” text box using autofill, the other fields get filled automatically. After you click Submit, the entire information is posted to the site.

browser autofill phishing
Example: cc_number field has a negative left margin (-500px) so that it doesn’t show on the page

Firefox is not vulnerable because it doesn’t support multi-form autofill. In Firefox, you need to select each field and type in the starting letter, or double-click the field, or press down arrow and click one of the items in the dropdown. Data won’t be automatically filled in the hidden textboxes.

One can expect a fix from the Google Chrome team as the simple but effective phishing method was brought to the limelight. Until then, turn off auto-fill in your web browser or at least don’t use auto-fill on websites that you don’t fully trust.

Turn off Autofill in Chrome

In Chrome, open Settings, click Show advanced settings.

browser autofill phishing

Uncheck “Enable Autofill to fill out web forms in a single click” under “Passwords and forms.”

Turn off Autofill in Opera

In Opera, autofill setting is available under Settings > Privacy & security > “Autofill”. Uncheck “Enable auto-filling of forms on webpages.”

browser autofill phishing

via Lifehacker.

Update: Just found that Yoast has written about this vulnerability back in 2013. Check out Why you should not use autocomplete • Yoast

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded in 2005.

Leave a Comment