Browser Autofill Can Be Used To Steal Data

Uploaded on 2017-02-16 in BUSINESS-Services-IT & Telecoms, FREE TO VIEW, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

Your browser or password manager’s autofill might be inadvertently giving away your information to unscrupulous phishers using hidden text boxes on sites.

Finnish web developer and hacker Viljami Kuosmanen discovered that several web browsers, including Google’s Chrome, Apple’s Safari and Opera, as well as some plugins and utilities such as LastPass, can be tricked into giving away a user’s personal information through their profile-based autofill systems.

The phishing attack is brutally simple. Kuosmanen discovered that when a user attempts to fill in information in some simple text boxes, such as name and email address, the autofill system, which is intended to avoid tedious repetition of standard information such as your address, will input other profile-based information into any other text boxes, even when those boxes are not visible on the page.

It means that when a user inputs seemingly innocent, basic information into a site, the autofill system could be giving away much more sensitive information at the same time should the user confirm the autofill.

Chrome’s autofill system, which is switched on by default, stores data on email addresses, phone numbers, mailing addresses, organisations, credit card information and various other bits and pieces.

Kuosmanen set up a site to demonstrate the issue, showing a text box for a user’s name and email address, with text boxes for address and phone number hidden from view, auto-filled by Chrome.

Mozilla’s Firefox is immune to the problem, as it does not yet have a multi-box autofill system and cannot be tricked into filling text boxes by programmatic means, according to Mozilla principle security engineer Daniel Veditz. A more complete autofill system is currently in development for Firefox, however.

The phishing attack still relies on users being tricked into entering at least some information into an online form, but unsuspecting users could be tricked into entering more than they bargained for relatively easily.

Users can protect themselves from this kind of phishing attack by disabling the autofill system within their browser or extension settings.

Guardian:      

FBI Calculate $2.3 Billion Lost In CEO Email Scams:

 

« One Insurer Plans To Replace Humans With AI
Old IT Networks Stop New IoT Innovation »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Endace

Endace

Endace is a leader in network visibility, network recording and packet capture solutions for security, network and application performance monitoring.

Markel International

Markel International

Markel International is an international insurance company which looks after the commercial insurance needs of businesses. Specialist services include Cyber Risk insurance.

Organization for Security and Co-operation in Europe (OSCE)

Organization for Security and Co-operation in Europe (OSCE)

OSCE is the world's largest security-oriented intergovernmental organization. Areas of activity include Cyber/ICT security.

CYBER 1

CYBER 1

CYBER 1 provides cyber security solutions to customers wanting to be resilient against new and existing threats.

EdgeWave

EdgeWave

EdgeWave provides simple but highly effective data security and advanced threat protection in solutions that are affordable, scalable and easy to use.

Hallam-ICS

Hallam-ICS

Hallam-ICS designs MEP systems for facilities and plants, control and automation solutions, and ensures safety and regulatory compliance.

u-blox

u-blox

u-blox deliver leading wireless technology to reliably and securely locate and connect people and devices.

Angoka

Angoka

Angoka provide hardware-based solutions for managing the cybersecurity risks inherent in machine-to-machine communication networks.

ChaosSearch

ChaosSearch

ChaosSearch is a massively scalable ELK-compatible log analysis platform delivered as a fully managed service with high-performance and low cost.

Schillings

Schillings

Shillings defends your rights to privacy, reuptation and security. We fight passionately against breaches of your privacy, attacks on your reputation and threats to your security.

Infisign

Infisign

Infisign addresses the challenges of traditional IAM systems and offers a comprehensive solution for modern identity management.

Multipoint Group

Multipoint Group

Multipoint is an information security and protection solutions company operating in the South EMEA region through value-added distribution channels.

Prophet Security

Prophet Security

Prophet Security empowers organizations to triage, investigate, and respond to alerts with unparalleled speed and accuracy.

Nagomi Security

Nagomi Security

Nagomi is changing the way security teams balance risk and defense, empowering customers to focus on what matters now.

LT Harper

LT Harper

LT Harper specialise in cyber security recruitment. We believe in providing an individualised service to our customers whether they are looking for a new opportunity or to hire talent.

Dial A Geek

Dial A Geek

Dial A Geek are a Bristol-based B Corp that provides Managed IT Services to companies of 20+ users. We help businesses with a smart use of tech, including compliance and cybersecurity solutions.