Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com)

Posted by EditorDavid on from the I-know-what-you-typed-last-summer dept.

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

2 of 112 comments (clear)

  1. Re:Obvious solution by Shane_Optima · · Score: 3, Informative

    Surely just only auto-fill visible fields?

    That sounds tricky as hell... how many different ways of hiding the fields are there? They could be tiny, they could be behind another element, they could be unlabeled with white text on a white background, they could be at the bottom of the page past the point where most people will bother scrolling, etc.

    If autofill absolutely must be used, the correct way to do this would be to warn the user with a popup that the website is requesting information XYZ, not unlike how they currently have a popup saying that a website is requesting your detailed location information.

    Also, I'm astonished this attack hasn't popped up before now.

  2. Re:Proof of concept demo by mwvdlee · · Score: 4, Informative

    If Field.IsCleverlyHiddenByAPhisher == False

    Whilst your at it, could you also add a `If Site.IsTryingToInstallMalware", so we can finally get rid of that problem too?
    I'd also like a "If DatingSite.WillProfileMakeOutOnFirstDate", but I think it might be too easy for you.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?