If you’ve been using your web browser’s autofill on every website you visit, then here is some important news for you. It has been found that the web browsers such as Chrome, Safari or others that support multi-form autofill can be tricked into giving away your information, even the Credit Card numbers, their expiry dates and the CVV codes to websites.
How the phish works?
A phishing site may have visible form fields or text boxes to collect basic information such as user name and email address. In addition, the site will have other form fields configured to remain hidden on the web page, using negative margins or possibly other CSS methods. When you use auto-fill to fill up the visible form fields, the hidden form fields will also get their respective data.
Finnish web dev and hacker Viljami Kuosmanen has discovered this vulnerability. He has also set up a demo site where you can see how the phish works. Visit his GitHub project page for more information.
If you look at the demo webpage’s source code, you can see that the additional form fields exist on the web page, but they don’t appear on the screen. Once you fill in the innocent looking “Name” text box using autofill, the other fields get filled automatically. After you click Submit, the entire information is posted to the site.
Firefox is not vulnerable because it doesn’t support multi-form autofill. In Firefox, you need to select each field and type in the starting letter, or double-click the field, or press down arrow and click one of the items in the dropdown. Data won’t be automatically filled in the hidden textboxes.
One can expect a fix from the Google Chrome team as the simple but effective phishing method was brought to the limelight. Until then, turn off auto-fill in your web browser or at least don’t use auto-fill on websites that you don’t fully trust.
Turn off Autofill in Chrome
In Chrome, open Settings, click Show advanced settings.
Uncheck “Enable Autofill to fill out web forms in a single click” under “Passwords and forms.”
Turn off Autofill in Opera
In Opera, autofill setting is available under Settings > Privacy & security > “Autofill”. Uncheck “Enable auto-filling of forms on webpages.”
Update: Just found that Yoast has written about this vulnerability back in 2013. Check out Why you should not use autocomplete • Yoast
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!