Your browser or password manager’s auto-fill might be inadvertently giving away your information to phishers using hidden text boxes on sites.
Most of the people really hate filling out web forms, especially when it comes to mobile devices.
To make this process user friendly, Google Chrome and other major browsers offer “Auto-fill” feature that automatically fills out web form based on data you have previously entered in similar fields.
Web developer and whitehat hacker Viljami Kuosmanen published a demo on GitHub that shows how an attacker could take advantage of the auto-fill feature provided by most browsers, plugins, and tools such as Password Managers.
Although, this trick was first discovered by Ricardo Martin Rodriguez, Security Analyst at ElevenPaths, in the year 2013, but it seems Google haven’t done anything to address weakness in Auto-fill feature.
The proof-of-concept demo website consists of a simple online web form with just two fields: Name and Email. But what’s not visible are many hidden (out of sight) fields, including the phone number, organization, address, postal code, city, and country.
Giving away all your Personal Information Unknowingly
So, if users with an auto-fill profile configured in their browsers fill out this simple form and click on submit button, they’ll send all the fields unaware of the fact that the six fields that are hidden to them but present on the page also get filled out and sent to unscrupulous phishers.
You can also test your browser and extension auto-fill feature using Kuosmanen’s PoC site.
Kuosmanen can make this attack even worse by adding more personal fields out of user’s sight, including the user’s address, credit card number, expiration date, and CVV, although auto-filling financial data forms will trigger warnings on Chrome when sites do not offer HTTPS.
Kuosmanen attack works against a variety of major browsers and auto-fill tools, including Google Chrome, Apple Safari, Opera, and even the popular cloud security vault LastPass.
Mozilla’s Firefox users do not need to worry about this particular attack as the browser currently, does not have a multi-box auto-fill system and forces users to select pre-fill data for each box manually.
Therefore, the Firefox browser can’t be tricked into filling text boxes by programmatic means, Mozilla principal security engineer Daniel Veditz says.
Here’s How to Turn Auto-fill Feature Off
The simplest way to protect yourself against such phishing attacks is to disable form auto-fill feature in your browser, password manager or extension settings.
Auto-fill feature is turned on by default. Here’s how to turn this feature off in Chrome:
Go to Settings -> Show Advanced Settings at the bottom, and under the Passwords and Forms section unchecked Enable Auto-fill box to fill out web forms with a single
In Opera, go to Settings -> Auto-fill and turn it off.
In Safari, go to Preferences and click on Auto-fill to turn it off.Share This: