Browser Autofill Can Be Used To Steal Data

Your browser or password manager’s autofill might be inadvertently giving away your information to unscrupulous phishers using hidden text boxes on sites.

Finnish web developer and hacker Viljami Kuosmanen discovered that several web browsers, including Google’s Chrome, Apple’s Safari and Opera, as well as some plugins and utilities such as LastPass, can be tricked into giving away a user’s personal information through their profile-based autofill systems.

The phishing attack is brutally simple. Kuosmanen discovered that when a user attempts to fill in information in some simple text boxes, such as name and email address, the autofill system, which is intended to avoid tedious repetition of standard information such as your address, will input other profile-based information into any other text boxes, even when those boxes are not visible on the page.

It means that when a user inputs seemingly innocent, basic information into a site, the autofill system could be giving away much more sensitive information at the same time should the user confirm the autofill.

Chrome’s autofill system, which is switched on by default, stores data on email addresses, phone numbers, mailing addresses, organisations, credit card information and various other bits and pieces.

Kuosmanen set up a site to demonstrate the issue, showing a text box for a user’s name and email address, with text boxes for address and phone number hidden from view, auto-filled by Chrome.

Mozilla’s Firefox is immune to the problem, as it does not yet have a multi-box autofill system and cannot be tricked into filling text boxes by programmatic means, according to Mozilla principle security engineer Daniel Veditz. A more complete autofill system is currently in development for Firefox, however.

The phishing attack still relies on users being tricked into entering at least some information into an online form, but unsuspecting users could be tricked into entering more than they bargained for relatively easily.

Users can protect themselves from this kind of phishing attack by disabling the autofill system within their browser or extension settings.

Guardian:      

FBI Calculate $2.3 Billion Lost In CEO Email Scams:

 

« One Insurer Plans To Replace Humans With AI
Old IT Networks Stop New IoT Innovation »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Security Compass

Security Compass

Security Compass, the Security by Design Company, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows.

Magnet Forensics

Magnet Forensics

Magnet Forensics' family of digital forensics products are used globally by thousands of law enforcement, military, government and corporate customers.

Copper Horse Solutions

Copper Horse Solutions

Copper Horse specialises in mobile and IoT security, engineering solutions throughout the product lifecycle from requirements to product security investigations.

SafeCharge

SafeCharge

SafeCharge is a global provider of technology-based multi-channel payments services and risk management solutions for demanding businesses.

Japan Information Security Audit Association (JASA)

Japan Information Security Audit Association (JASA)

JASA is non-profit association active in developing and managing the quality of Information Security Auditing and Auditors in Japan.

Shape Security

Shape Security

Shape Security provide best-in-class defense against malicious automated cyberattacks on web and mobile applications.

HvS Consulting

HvS Consulting

HvS Consulting is a specialist information security company offering a full range of services including IT security architecture, ISO 27001 audits, Pentesting, Security monitoring and Training.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

Sabat Group

Sabat Group

Sabat Group provide relationship-driven information security & cyber security recruiting services.

Cardonet

Cardonet

Cardonet is an IT Support and IT Services business offering end-to-end IT services, 24x7 IT Support to IT Consultancy, Managed IT and Cyber Security.

BIRD Cyber

BIRD Cyber

BIRD Cyber is a program to promote collaboration on cybersecurity and emerging technologies aimed at enhancing the cyber resilience of critical infrastructure.

Gravitee

Gravitee

Gravitee helps organizations manage and secure their entire API lifecycle with solutions for API design, management, security, productization, real-time observability, and more.

Laneden

Laneden

Laneden specialise in helping organisations identify security concerns and quantify the risks you may have across your assets, using Penetration Testing, Threat Simulation and Compliance Testing.

Zally

Zally

Using advanced behavioural biometrics and AI, Zally is the world's answer to next-generation security.

Network Coverage

Network Coverage

Network Coverage align, maintain, and integrate technology and cloud solutions with business operations to improve productivity and security with as few issues and disruptions as possible.

SFY Information Technology

SFY Information Technology

SFY helps companies with Cyber Security and Managed IT, allowing them to focus on what really matters to them.