The autofill function on your browser is a convenient way to quickly complete web forms but many browsers will autofill hidden fields and give away data that you don’t intend to provide.
Finnish web developer and hacker Viljami Kuosmanen has discovered that the autofill functionality on some browsers including Google Chrome, Safari, Internet Explorer, Opera and browser plugins like LastPass can be tricked into giving away more personal information than is actually being entered into an online form. This is done by a program that uses hidden text boxes on a phishing website.
It works when someone inadvertently visits a phishing site that may look a lot like a trusted website or it may be the result of a phishing email directing them to a phishing lure page. When a person enters their basic information, such as their name or email address, the browser's autofill will attempt to auto-complete those fields that are in view and potentially several other hidden fields that aren’t visible but are collecting additional data such as a credit card information, phone number, location, etc.
This tweet from Mr. Kuosmanen demonstrates the issue:
If you use Firefox then there is no need to worry at this time because it doesn’t have a multi-box autofill system so it can’t be tricked into filling text boxes by a phishing program, according to Mozilla principle security engineer Daniel Veditz. An autofill system is in development for Firefox.
Phishing is on the rise worldwide accounting for over 90% of data breaches. Risks from Phishing include ransomware, username and password breach, identity fraud, financial loss from credit cards, W-2 breaches that leads to tax refund scams, and wire fraud.
It’s easy to protect yourself from this kind of phishing attack. All you have to do is disable the autofill system of your browser or extension.
Instructions for disabling autofill:
The team at Securecast.com recommends "checking the settings on all the browsers and plugins you use to see if the autofill is enabled. If it is, turn it off within the settings menu until the solution is patched to require intentionally selecting fields for autofill." Securecast has set up a browser autofill vulnerability testing tool that you can use to check your vulnerability.
Image courtesy of StuartMiles at www.freerangestock.com