Browser Autofill Data May be Phished

This certainly comes as no surprise. Fortunately, some browsers offer ways to protect against phishing access to autofill data, but that still might not completely eliminate the problem.

Most modern web browsers support comfortable features like auto-filling forms on sites using data that you have entered in the past. Instead of having to enter your name, email address or street address whenever you sign up for a new account for instance, you’d fill out the data once only and have the browser fill out the fields for you any time they are requested afterwards.

But autofill can also be a privacy issue. Imagine a site requesting that you enter your name and email address on a page. You would probably assume that this is the only data it requests, and that your browser will only fill out those fields and nothing else.

Watch what happens when the developer of a site adds hidden fields to a page.

autofill demo

Note that hidden in this regard means visible but drawn outside the visible screen.

The browser may fill out fields that you don’t see but are there. As you can see, this may include personal data without you being aware that the data is submitted to the site. While you could analyze any page’s source code before submitting anything, doing so is highly impracticable.

You can download the example index.html file from GitHub. Please note that this appears to work in Chrome but not in Firefox at the time of writing. It is likely that Chrome-based browsers will behave the same.

Chrome will only fill out the following information by default: name, organization, street address, state, province, zip, country, phone number and email address. Note that you may add other date, credit cards for instance, to autofill.

Since there is no way of stopping this from the user’s end, it is best right now to disable autofill until the issue gets fixed.

It is interesting to note that this is not a new issue, but one that has been mentioned since at least 2010. A Chromium bug was reported in mid 2012, but it has not found any love yet.

Disable autofill in Chrome

chrome disable autofill

You can disable Google Chrome’s autofill functionality in the following way:

  1. Load chrome://settings/ in the web browser’s address bar.
  2. Click on “show advanced settings” at the end of the page.
  3. Scroll down to the “passwords and forms” section.
  4. Remove the checkmark from “Enable Autofill to fill out web forms in a single click”.

Mozilla Firefox does not seem to be affected by this. You can find out about disabling autofill in Firefox on Mozilla’s Support website.

Closing Words

There is the question whether browser add-ons that support automatic form filling may leak data to sites that use hidden form fields as well. I did not test this, but it would be interesting to find out.

Link to Original Content

Tags: , , , ,

Comments are closed.