Browser Autofill Can Be Used To Steal Data

Uploaded on 2017-02-16 in BUSINESS-Services-IT & Telecoms, FREE TO VIEW, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

Your browser or password manager’s autofill might be inadvertently giving away your information to unscrupulous phishers using hidden text boxes on sites.

Finnish web developer and hacker Viljami Kuosmanen discovered that several web browsers, including Google’s Chrome, Apple’s Safari and Opera, as well as some plugins and utilities such as LastPass, can be tricked into giving away a user’s personal information through their profile-based autofill systems.

The phishing attack is brutally simple. Kuosmanen discovered that when a user attempts to fill in information in some simple text boxes, such as name and email address, the autofill system, which is intended to avoid tedious repetition of standard information such as your address, will input other profile-based information into any other text boxes, even when those boxes are not visible on the page.

It means that when a user inputs seemingly innocent, basic information into a site, the autofill system could be giving away much more sensitive information at the same time should the user confirm the autofill.

Chrome’s autofill system, which is switched on by default, stores data on email addresses, phone numbers, mailing addresses, organisations, credit card information and various other bits and pieces.

Kuosmanen set up a site to demonstrate the issue, showing a text box for a user’s name and email address, with text boxes for address and phone number hidden from view, auto-filled by Chrome.

Mozilla’s Firefox is immune to the problem, as it does not yet have a multi-box autofill system and cannot be tricked into filling text boxes by programmatic means, according to Mozilla principle security engineer Daniel Veditz. A more complete autofill system is currently in development for Firefox, however.

The phishing attack still relies on users being tricked into entering at least some information into an online form, but unsuspecting users could be tricked into entering more than they bargained for relatively easily.

Users can protect themselves from this kind of phishing attack by disabling the autofill system within their browser or extension settings.

Guardian:      

FBI Calculate $2.3 Billion Lost In CEO Email Scams:

 

« One Insurer Plans To Replace Humans With AI
Old IT Networks Stop New IoT Innovation »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TenIntelligence

TenIntelligence

TenIntelligence provides due diligence, brand protection and fraud investigation services including digital forensics.

Certification Europe

Certification Europe

Certification Europe (now Amtivo Ireland) is an accredited certification body which provides ISO management system certification, including ISO 27001.

SecureNow Insurance Broker

SecureNow Insurance Broker

SecureNow is a commercial insurance broker based in India. Services offered include Cyber Risk insurance.

Hillstone Networks

Hillstone Networks

Hillstone Networks offers a broad range of security solutions for enterprises and data center networks – whether physical, virtual, or in the cloud.

ECOS Technology

ECOS Technology

ECOS Technology specializes in the development and sale of IT solutions for high-security remote access as well as the management of certificates and smart cards.

KBR

KBR

To help governments and other agencies to combat cyber threats, KBR is safeguarding their most valuable systems with sophisticated tools, hardware and training.

Variti

Variti

Variti Intelligent Active Bot Protection technology — traffic analysis, detection and stopping of malicious bots in real-time and effective response to DDoS attacks.

Web3fied

Web3fied

Web3fied is a seed stage company building the future of decentralized digital identity and credentials management.

Telesystem

Telesystem

Telesystem empowers businesses across the USA with a range of innovative network, communication and collaboration solutions.

Unciphered

Unciphered

Unciphered was created as the first company providing services for opening locked hardware cryptocurrency wallets.

WillJam Ventures

WillJam Ventures

WillJam Ventures are a private equity firm focused on investing in world-class cybersecurity companies that will become the next generation of leaders in protecting the world’s digital assets.

Index Engines

Index Engines

Index Engines is the world’s leading AI-powered analytics engine to detect data corruption due to ransomware.

Secure Cyber Management

Secure Cyber Management

Secure Cyber Management provides industry-leading cloud security advice, guidance and services.

Potech

Potech

Potech provides masterful services in Information & Technology and Cybersecurity to multiple markets across the world.

Cure53

Cure53

Cure53 offers classic black-box penetration tests (zero-knowledge) as well as white-box tests and code audits.

SurePath AI

SurePath AI

SurePath AI is a SaaS platform that governs any GenAI solutions you build, adopt, or buy - even Shadow AI.