Hackers Target Browser Autofill Profiles To Launch Punishing Phishing Attacks
As if hackers do not already have an easy enough time duping Internet users into forking over personal information, it turns out that browser autofill profiles may be helping them out when they're supposed to be making things more convenient for the person who inputted his information. By implementing hidden fields on a website, an attacker can turn an autofill profile against the user, in a manner of speaking.
Here is the deal with autofill profiles, they're a relatively new feature of today's browsers that allow users to input information about themselves that are commonly of interest to legitimate ecommerce sites, banking pages, and other online services that ask users to fill out an online form. When presented with a form from a legitimate website, selecting an autofill profile does just what it sounds like it does—it automatically fill out the fields with the user's preset profile information, which can include credit card details.
Note that browser autofill profiles are different from when a browser automatically fills in fields one at a time based on data the user previously entered in those fields. Autofill profiles are designed to fill out an entire form with a single click, saving the user from having to punch in information for sometimes dozens of fields.
Where things get interesting is when there are hidden fields. A Finnish web developer published at demo on GitHub that shows how this works. The demo consists of a simple web form with just two fields, Name and Email. What is not visible unless looking at the site's source code are half a dozen hidden fields titled Phone, Organization, Address, Postal Code, City, and Country.
If a user an autofill profile configured in his browser and decides to fill out the simple form with it, the six hidden fields also get filled out even though the user can't see them. So instead of sharing a name and email address, a user is duped into sharing much more information. You can try it out yourself here.
At present autofill profiles are supported by Chrome, Safari, and Opera. However, Mozilla is working on adding support for Firefox, which would leave Microsoft Edge as the only major browser immune from this attack. The feature can be turned off, though it's turned on by default.
To turn it off in Chrome, click the three dots in the upper right corner, select Settings, and click on Show advanced settings... at the bottom. Under the Passwords and forms section uncheck Enable Autofill to fill out web forms in a single click.
In Opera, the setting can be found in Settings > Autofill and in Safari go to Preferences and click on AutoFill.
Here is the deal with autofill profiles, they're a relatively new feature of today's browsers that allow users to input information about themselves that are commonly of interest to legitimate ecommerce sites, banking pages, and other online services that ask users to fill out an online form. When presented with a form from a legitimate website, selecting an autofill profile does just what it sounds like it does—it automatically fill out the fields with the user's preset profile information, which can include credit card details.
Note that browser autofill profiles are different from when a browser automatically fills in fields one at a time based on data the user previously entered in those fields. Autofill profiles are designed to fill out an entire form with a single click, saving the user from having to punch in information for sometimes dozens of fields.
Where things get interesting is when there are hidden fields. A Finnish web developer published at demo on GitHub that shows how this works. The demo consists of a simple web form with just two fields, Name and Email. What is not visible unless looking at the site's source code are half a dozen hidden fields titled Phone, Organization, Address, Postal Code, City, and Country.
If a user an autofill profile configured in his browser and decides to fill out the simple form with it, the six hidden fields also get filled out even though the user can't see them. So instead of sharing a name and email address, a user is duped into sharing much more information. You can try it out yourself here.
At present autofill profiles are supported by Chrome, Safari, and Opera. However, Mozilla is working on adding support for Firefox, which would leave Microsoft Edge as the only major browser immune from this attack. The feature can be turned off, though it's turned on by default.
To turn it off in Chrome, click the three dots in the upper right corner, select Settings, and click on Show advanced settings... at the bottom. Under the Passwords and forms section uncheck Enable Autofill to fill out web forms in a single click.
In Opera, the setting can be found in Settings > Autofill and in Safari go to Preferences and click on AutoFill.
