Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com)

Posted by EditorDavid on Sunday January 8, 2017 @08:34PM from the I-know-what-you-typed-last-summer dept.

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

3 of 112 comments (clear)

Min score:

Reason:

Sort:

This is why HTML should be display neutral by Actually,+I+do+RTFA · 2017-01-08 21:19 · Score: 4, Insightful

HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some colorscheme A/B tested to hell and back to try to trick me into clicking the desired button.

--
Your ad here. Ask me how!
Re:Just solve the bug... by hcs_$reboot · 2017-01-08 21:38 · Score: 5, Insightful

"don't autofill hidden form fields"
How do you know it's hidden, for sure? The fields may be displayed in a non-showing mode in css (visible:hidden, display:none), or, worse, the fields might be shown in the same background color as the page (white on white). The fields could also be displayed with a 1px width... or buried somewhere within some text three pages down below...

The autofil feature needs to be smarter, and show the user the list of fields to be filled, and ask if it's ok.

--
Slashdot, fix the reply notifications... You won't get away with it...
Re:Just solve the bug... by geekmux · 2017-01-08 23:12 · Score: 2, Insightful

...The autofill feature needs to be smarter, and show the user the list of fields to be filled, and ask if it's ok.
Uh, ask the user?
The user who abuses the I'm-too-lazy-to-type autofill feature?
The user who will instantly dismiss any form of notification that requires reading and accept anyway?
You mean that user?
Seems you have forgotten about the mentality that created shit like autofill in the first place.