If you’re like most people, you rely on browser autofill to complete annoying web forms. Browser “autofill” automatically fills your information into fields in web forms based on information you’d previously entered into these fields.
The bad news is that malicious third parties and black-hat hackers can use this autofill feature in browsers to trick you into giving away your sensitive information. A white-hat hacker from Finland, Viljami Kuosmanen, who is also a web developer, showed in his GitHub demo that attackers could hijack the autofill feature in plugins, password managers (and such tools), and browsers.
Long before Kuosmanen, ElevenPaths security analyst, Ricardo Martin Rodriguez, had discovered this browser autofill vulnerability in 2013. So far, Google hasn’t found a solution to this vulnerability.
Spilling your sensitive information unknowingly
On Kuosmanen’s proof-of-concept demo website you’ll see a simple web form consisting of only two fields – name and email address. However, the form has many hidden (i.e. out of sight) fields on there; these hidden fields include address, organization, phone number, city, postal code, and country.
In a form like the one above, you would see only the name and email fields, but your autofill feature would automatically fill in your details in the remaining fields. A phishing web form like the one above would have collected more information than you are aware of when you click the Submit button.
To test your browser and extension autofill features, you can use the proof-of-concept site Kuosmanen had set up. On submitting the form I noticed that it’d grabbed more information than I gave. I used the latest Mozilla Firefox for this test and was amazed at how much information I spilled out.
In Chrome auto-filling financial data triggers a warning for websites without HTTPS. In my experience Kuosmanen’s form attempted to collect the date I filled the form, my address, my credit card number, CVV, credit card expiration date, my city, country, email, name, organization, phone, and postal code.
The form even tried to collect some metadata on my browser type, my current IP address and more. See my screenshot below.
Apple Safari, Google Chrome, and Opera were all vulnerable during a Kuosmanen attack test.
In January 2017 Daniel Veditz, Mozilla’s principal security engineer, said that Firefox browsers cannot be deceived into programmatically filling out text boxes. Firefox users are safe from browser autofill attacks (at least for now), as the browser doesn’t have a multi-box autofill system. Mozilla’s Firefox browser makes it mandatory for users to manually select pre-filled data for each text box in a web form.
Conclusion: turn off your browser autofill feature
The easiest precaution to take against phishing attacks is to turn the form autofill feature off in your browser, extension settings or password manager. Your browser autofill feature, by default, is turned on.
To turn autofill off in Chrome:
1. Go to the browser’s “Settings.”
2. Find “Advanced Settings” at the bottom of the page.
3. In the “Passwords and Forms” area uncheck “Enable Autofill.”
To turn autofill off in Opera:
1. Head to Settings.
2. Go to “Autofill” and turn it off.
To turn autofill off in Safari:
1. Go to “Preferences.”
2. Click on “Autofill” to switch it off.
If you found this post useful please click “Yes” below. We’d be happy to see your comments, too.