Most of you probably utilize your web browser’s autofill/form fill feature. It can be a big time saver, automatically entering data like your name, address, and phone number on the lengthy check-out screens you encounter when you’re shopping online.
If you’re not careful, though, it could also be spilling your private information to a malicious third party.
Security researcher Viljami Kuosmanen has put together a proof-of-concept website that shows how a visitor can be tricked into spilling the data he or she has stored in a browser’s autofill system. All it takes is couple of bits of information.
On Kuosmanen’s demonstration page all it asks for is a name and an email address. If you let autofill finish entering data into those boxes for you, it’ll also try to fill out any other fields it sees on the page — whether you can see them or not. The attack is about as unsophisticated as they come. All Kuosmanen had to do was hide all the fields he wanted to stealthily swipe — the user’s address and credit card number, expiration date, and CVV.
Worse still, the attack works against a variety of browsers and autofill tools. Google Chrome, Apple’s Safari browser, Opera, and even LastPass, the secure password and form data tool acquired by LogMeIn in 2015, were all susceptible. Firefox users don’t need to worry about this particular attack as it currently only autocompletes forms on a field-by-field basis. If a user can’t click into a field, there’s no way for Firefox to offer up a suggestion.
As inconvenient as it may be from time to time, there’s a simple way to protect yourself from this kind of attack: disable form autofill in your browser or password/browser data manager. If you don’t want to get quite that drastic, make sure you fill out those forms manually on sites that you don’t trust 100%.