Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com)

Posted by EditorDavid on from the I-know-what-you-typed-last-summer dept.

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

5 of 112 comments (clear)

  1. This is why HTML should be display neutral by Actually,+I+do+RTFA · · Score: 4, Insightful

    HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some colorscheme A/B tested to hell and back to try to trick me into clicking the desired button.

    --
    Your ad here. Ask me how!
  2. Proof of concept demo by Shane_Optima · · Score: 5, Funny

    "don't autofill hidden form fields". Kudos to the researcher, but hardly a topic worthy of lengthy discussion?

    Hmm.

    If Field.IsCleverlyHiddenByAPhisher == False

    Autofill(Field)

    else

    /* do nothing */

    end

    Wow, you're right! That was easy!

    1. Re:Proof of concept demo by mwvdlee · · Score: 4, Informative

      If Field.IsCleverlyHiddenByAPhisher == False

      Whilst your at it, could you also add a `If Site.IsTryingToInstallMalware", so we can finally get rid of that problem too?
      I'd also like a "If DatingSite.WillProfileMakeOutOnFirstDate", but I think it might be too easy for you.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. Re:Just solve the bug... by hcs_$reboot · · Score: 5, Insightful

    "don't autofill hidden form fields"

    How do you know it's hidden, for sure? The fields may be displayed in a non-showing mode in css (visible:hidden, display:none), or, worse, the fields might be shown in the same background color as the page (white on white). The fields could also be displayed with a 1px width... or buried somewhere within some text three pages down below...

    The autofil feature needs to be smarter, and show the user the list of fields to be filled, and ask if it's ok.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  4. This Kills Autofill by jaa101 · · Score: 4, Interesting

    The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.