Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com)

Posted by EditorDavid on from the I-know-what-you-typed-last-summer dept.

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

20 of 112 comments (clear)

  1. Stupid feature anyway by know1 · · Score: 2

    I don't understand people who even save passwords, let alone full profiles of themselves.

    1. Re:Stupid feature anyway by KiloByte · · Score: 2

      I don't understand people who even save passwords, let alone full profiles of themselves.

      Saving passwords works separately and differently than form autofill. I find it useful for shit sites (ie, 95% of all passwords) -- and if you can get them if you pwn my browser, oh well.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:Stupid feature anyway by slashrio · · Score: 2

      I do save passwords, but in a separate vault. I pick them up (copy) there and paste them when needed.
      My 'vault' is a VM with no internet access under QubesOS installed on an encrypted HD.
      Of course there are backups on USB sticks, encrypted.

      --
      "Trump!!", the new Godwin.
  2. Re:Obvious solution by Anonymous Coward · · Score: 2

    Determining visibility of an element is exceptionally hard in a browser. There can be overlays, transparancy, dynamic elements, or simply making elements visible for a split second in a corner, for autofill to work, then capturing the data and removing the elements. I'm sure we can come up with more creative workarounds. Supposedly Firefox works around the issue by prompting the user which fields to autofill.

  3. Re:Bad design by darkain · · Score: 3, Interesting

    This is already easily broken, though. If you're only doing UI overlays on the Z axis as close to the user as possible, just fix position of the element outside of the view frame, such as top:-10000px

    A better solution would be to list all fields which will receive input data. Have the browser list out every single field. Inform the user BEFORE the action is taken.

  4. This is why HTML should be display neutral by Actually,+I+do+RTFA · · Score: 4, Insightful

    HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some colorscheme A/B tested to hell and back to try to trick me into clicking the desired button.

    --
    Your ad here. Ask me how!
  5. Re:Obvious solution by Shane_Optima · · Score: 3, Informative

    Surely just only auto-fill visible fields?

    That sounds tricky as hell... how many different ways of hiding the fields are there? They could be tiny, they could be behind another element, they could be unlabeled with white text on a white background, they could be at the bottom of the page past the point where most people will bother scrolling, etc.

    If autofill absolutely must be used, the correct way to do this would be to warn the user with a popup that the website is requesting information XYZ, not unlike how they currently have a popup saying that a website is requesting your detailed location information.

    Also, I'm astonished this attack hasn't popped up before now.

  6. Proof of concept demo by Shane_Optima · · Score: 5, Funny

    "don't autofill hidden form fields". Kudos to the researcher, but hardly a topic worthy of lengthy discussion?

    Hmm.

    If Field.IsCleverlyHiddenByAPhisher == False

    Autofill(Field)

    else

    /* do nothing */

    end

    Wow, you're right! That was easy!

    1. Re:Proof of concept demo by mwvdlee · · Score: 4, Informative

      If Field.IsCleverlyHiddenByAPhisher == False

      Whilst your at it, could you also add a `If Site.IsTryingToInstallMalware", so we can finally get rid of that problem too?
      I'd also like a "If DatingSite.WillProfileMakeOutOnFirstDate", but I think it might be too easy for you.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:Proof of concept demo by Shane_Optima · · Score: 2

      I'm just waiting for someone to mention that my solution would be totally unnecessary if only phishing sites would properly support the standards outlined in RFC 3514.

  7. Re:Just solve the bug... by hcs_$reboot · · Score: 5, Insightful

    "don't autofill hidden form fields"

    How do you know it's hidden, for sure? The fields may be displayed in a non-showing mode in css (visible:hidden, display:none), or, worse, the fields might be shown in the same background color as the page (white on white). The fields could also be displayed with a 1px width... or buried somewhere within some text three pages down below...

    The autofil feature needs to be smarter, and show the user the list of fields to be filled, and ask if it's ok.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  8. This Kills Autofill by jaa101 · · Score: 4, Interesting

    The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.

    1. Re:This Kills Autofill by AmiMoJo · · Score: 2

      It would be better for everyone if there was some standard way for web sites to request certain personal information that is necessary for online shopping and the like. Easier for users to have a consistent UI instead of every site using a different form, and better for security as the data can be better controlled.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  9. Re:Just solve the bug... by geekmux · · Score: 2, Insightful

    ...The autofill feature needs to be smarter, and show the user the list of fields to be filled, and ask if it's ok.

    Uh, ask the user?

    The user who abuses the I'm-too-lazy-to-type autofill feature?

    The user who will instantly dismiss any form of notification that requires reading and accept anyway?

    You mean that user?

    Seems you have forgotten about the mentality that created shit like autofill in the first place.

  10. Re:Just solve the bug... by Opportunist · · Score: 2

    I feel kinda odd for suggesting something I saw in a MS product, but how about the Excel approach? When you start to type in a field, it offers you a known text that would complete what you started.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:Bad design by Opportunist · · Score: 2

    The ones that care.

    To the rest: Learn to read or get off the internet. No sympathy.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Confirmation dialog with all fields? by swb · · Score: 2

    The browser should place an "autofill" button on the toolbar or someplace off limits from any web site manipulation.

    This button should open a dialog box listing all the fields to be filled with the data to be filled, with checkboxes to enable/disable filling certain fields and to edit the data that is submitted.

    This would allow the user to be certain as to what form fields were filled and which ones weren't in a UI environment not controlled/manipulated by the web site.

    Perhaps they could even extend it to create "profiles" of common field data that would allow you to choose from various sets of data (different addresses, phone numbers, etc) to fill in.

    But they should make use of the browser-controlled autofill dialog mandatory and never fill web page fields unless the user interacted with the browser autofill dialog so that sites couldn't mine data through hidden fields or cause accidental autofills from taking place.

  13. Re:Just solve the bug... by coofercat · · Score: 2

    Click to fill fields you want maybe?

  14. Re:Obvious solution by Luthair · · Score: 2

    Sometimes there are hidden fields which back other elements. There are also legitimate cases, e.g. Google's login page has a hidden password field which an autofill will complete allowing the user to skip the second step (though it isn't really clear to me why a login page needs separate steps for the username and the password...)

  15. Re:Lynx by edtice1559 · · Score: 2

    Unfortunately many sites don't render well in Lynx. I hope that as the HTML standards evolve Lynx will work better. Also there isn't as much active Lynx development and, sadly, it has it's own security holes ;(