This is Why You Need to Secure Your Autofill Info Now

Phishing autofill
The autofill function on your browser is a convenient way to quickly complete web forms but many browsers will autofill hidden fields and give away data that you don’t intend to provide.

Finnish web developer and hacker Viljami Kuosmanen has discovered that the autofill functionality on some browsers including Google Chrome, Safari, Internet Explorer, Opera and browser plugins like LastPass can be tricked into giving away more personal information than is actually being entered into an online form. This is done by a program that uses hidden text boxes on a phishing website.

It works when someone inadvertently visits a phishing site that may look a lot like a trusted website or it may be the result of a phishing email directing them to a phishing lure page. When a person enters their basic information, such as their name or email address, the browser's autofill will attempt to auto-complete those fields that are in view and potentially several other hidden fields that aren’t visible but are collecting additional data such as a credit card information, phone number, location, etc.

This tweet from Mr. Kuosmanen demonstrates the issue:

If you use Firefox then there is no need to worry at this time because it doesn’t have a multi-box autofill system so it can’t be tricked into filling text boxes by a phishing program, according to Mozilla principle security engineer Daniel Veditz. An autofill system is in development for Firefox.

Phishing is on the rise worldwide accounting for over 90% of data breaches. Risks from Phishing include ransomware, username and password breach, identity fraud, financial loss from credit cards, W-2 breaches that leads to tax refund scams, and wire fraud.

It’s easy to protect yourself from this kind of phishing attack. All you have to do is disable the autofill system of your browser or extension.

Instructions for disabling autofill:

  • Chrome: Click the three-dot “More” button in the top right > Settings > Show advanced settings. Under ‘Passwords and forms’ uncheck the box: ‘Enable Autofill to fill out web forms in a single click’.
  • Safari: Click on ‘Safari’ > Preferences > AutoFill. Lastly, uncheck each box to turn off the autocomplete.
  • Internet Explorer: Click on Tools or Gear icon > Internet Options. A window will pop up. Select the Content tab and click on the Settings button to the right of AutoComplete. Another window will open and you can delete your autocomplete history and deselect autocomplete features.
  • Opera: Click on Opera  > Settings > Privacy & Security. In the Autofill section uncheck the box for ‘Enable auto-filling of forms on webpages’.
  • LastPass: Deactivate autofill by right clicking the LastPass plugin icon in your top browser. Select Options or Preferences and un-check ‘Automatically Fill Login Information’. Note: LastPass does not appear to autofill hidden fields without clicking on the field first which is a good counter measure.

The team at recommends "checking the settings on all the browsers and plugins you use to see if the autofill is enabled. If it is, turn it off within the settings menu until the solution is patched to require intentionally selecting fields for autofill." Securecast has set up a browser autofill vulnerability testing tool that you can use to check your vulnerability.

Image courtesy of StuartMiles at