Browser Autofill Can Be Used To Steal Data

Uploaded on 2017-02-16 in BUSINESS-Services-IT & Telecoms, FREE TO VIEW, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

Your browser or password manager’s autofill might be inadvertently giving away your information to unscrupulous phishers using hidden text boxes on sites.

Finnish web developer and hacker Viljami Kuosmanen discovered that several web browsers, including Google’s Chrome, Apple’s Safari and Opera, as well as some plugins and utilities such as LastPass, can be tricked into giving away a user’s personal information through their profile-based autofill systems.

The phishing attack is brutally simple. Kuosmanen discovered that when a user attempts to fill in information in some simple text boxes, such as name and email address, the autofill system, which is intended to avoid tedious repetition of standard information such as your address, will input other profile-based information into any other text boxes, even when those boxes are not visible on the page.

It means that when a user inputs seemingly innocent, basic information into a site, the autofill system could be giving away much more sensitive information at the same time should the user confirm the autofill.

Chrome’s autofill system, which is switched on by default, stores data on email addresses, phone numbers, mailing addresses, organisations, credit card information and various other bits and pieces.

Kuosmanen set up a site to demonstrate the issue, showing a text box for a user’s name and email address, with text boxes for address and phone number hidden from view, auto-filled by Chrome.

Mozilla’s Firefox is immune to the problem, as it does not yet have a multi-box autofill system and cannot be tricked into filling text boxes by programmatic means, according to Mozilla principle security engineer Daniel Veditz. A more complete autofill system is currently in development for Firefox, however.

The phishing attack still relies on users being tricked into entering at least some information into an online form, but unsuspecting users could be tricked into entering more than they bargained for relatively easily.

Users can protect themselves from this kind of phishing attack by disabling the autofill system within their browser or extension settings.

Guardian:      

FBI Calculate $2.3 Billion Lost In CEO Email Scams:

 

« One Insurer Plans To Replace Humans With AI
Old IT Networks Stop New IoT Innovation »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

ClearedJobs.Net

ClearedJobs.Net

ClearedJobs.Net is a career site and job fair company for professionals seeking careers in the defense, intelligence and cyber security communities.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

QATestLab

QATestLab

QATestLab is a leading International software testing company offering a full range of software testing services including security testing.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

International Accreditation Forum (IAF)

International Accreditation Forum (IAF)

The IAF is the world association of Conformity Assessment Accreditation Bodies. Its primary function is to develop a single worldwide programme of conformity assessment.

Zymbit

Zymbit

Zymbit provides hardware security modules (HSM) for IoT devices, including Raspberry Pi and other single board computers.

DarkOwl

DarkOwl

DarkOwl provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data.

Fudo Security

Fudo Security

Fudo Security is a leading provider of privileged access management and privileged session monitoring solutions.

Palantir

Palantir

Palantir software empowers entire organizations to answer complex questions quickly by bringing the right data to the people who need it.

Radiance Technologies

Radiance Technologies

Radiance solutions provide technological advantage and operational superiority for our nation in the areas of intelligence, cyber and advanced weapon systems.

Proximus Ada

Proximus Ada

Proximus Ada is the first Belgian center of excellence combining artificial intelligence and cybersecurity.

Salus Cyber

Salus Cyber

Salus is a provider of world-class cyber security services, enabling our clients to identify and manage their cyber risks proactively and effectively.

ThreatER

ThreatER

ThreateER (formerly ThreatBlockr / Bandura Cyber) is a cybersecurity platform that provides active network defense by automating the discovery, enforcement, and analysis of cyber threats at scale.

Digital.ai

Digital.ai

Digital.ai empowers organizations to scale software development teams, continuously deliver software with greater quality and security.

InQuest

InQuest

InQuest specialize in providing comprehensive network-based security solutions that empower organizations to protect their most critical assets: their people.