Browser Autofill data may be phished

Martin Brinkmann
Jan 5, 2017
Updated • Jan 5, 2017
Security
|
23

Most modern web browsers support comfortable features like auto-filling forms on sites using data that you have entered in the past.

Instead of having to enter your name, email address or street address whenever you sign up for a new account for instance, you'd fill out the data once only and have the browser fill out the fields for you any time they are requested afterwards.

But autofill can also be a privacy issue. Imagine a site requesting that you enter your name and email address on a page. You would probably assume that this is the only data it requests, and that your browser will only fill out those fields and nothing else.

Watch what happens when the developer of a site adds hidden fields to a page.

autofill demo

Note that hidden in this regard means visible but drawn outside the visible screen.

The browser may fill out fields that you don't see but are there. As you can see, this may include personal data without you being aware that the data is submitted to the site. While you could analyze any page's source code before submitting anything, doing so is highly impracticable.

You can download the example index.html file from GitHub. Please note that this appears to work in Chrome but not in Firefox at the time of writing. It is likely that Chrome-based browsers will behave the same.

Chrome will only fill out the following information by default: name, organization, street address, state, province, zip, country, phone number and email address. Note that you may add other date, credit cards for instance, to autofill.

Since there is no way of stopping this from the user's end, it is best right now to disable autofill until the issue gets fixed.

It is interesting to note that this is not a new issue, but one that has been mentioned since at least 2010. A Chromium bug was reported in mid 2012, but it has not found any love yet.

Disable autofill in Chrome

chrome disable autofill

You can disable Google Chrome's autofill functionality in the following way:

  1. Load chrome://settings/ in the web browser's address bar.
  2. Click on "show advanced settings" at the end of the page.
  3. Scroll down to the "passwords and forms" section.
  4. Remove the checkmark from "Enable Autofill to fill out web forms in a single click".

Mozilla Firefox does not seem to be affected by this. You can find out about disabling autofill in Firefox on Mozilla's Support website.

Closing Words

There is the question whether browser add-ons that support automatic form filling may leak data to sites that use hidden form fields as well. I did not test this, but it would be interesting to find out.

Summary
Browser Autofill data may be phished
Article Name
Browser Autofill data may be phished
Description
Data that you have saved as so-called Autofill data in your web browser of choice may be phished by sites using hidden form fields.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Al said on January 10, 2017 at 4:54 pm
    Reply

    Wow!*, the mainstream has only just reported this today 10 Jan 2017, 5 days after Martin’s article:

    Beta News
    http://betanews.com/2017/01/10/autofill-data-theft/

    Guardian
    https://www.theguardian.com/technology/2017/jan/10/browser-autofill-used-to-steal-personal-details-in-new-phising-attack-chrome-safari

    The Register
    http://www.theregister.co.uk/2017/01/10/autocomplete_a_novel_phishing_hole_for_chrome_safari_crims/

    And this is why Ghacks is so popular! It is well ahead. Where Martin leads, others eventually follow….

    * /Sarc!

  2. Inolvidable said on January 6, 2017 at 1:29 pm
    Reply

    Thanks for the heads up. I use FF myself but I am worried about my parents, so I will be tweaking their config ASAP.
    By the way I would like to congratulate you about the management of adds in Ghacks. Some time ago I joined Patreon to help, but I could not stand the intrusive adds in the page (gifs, video or other moving ads that were distracting). I gave it a shot again a couple of weeks ago and I am totally fine with this non-distracting adds. I have not many whitelisted sites but Ghacks is totally worth it

  3. CHEF-KOCH said on January 6, 2017 at 5:27 am
    Reply

    Any research or someone know if KeePass/Extensions are also suffering from this?

    1. Anonymous said on January 6, 2017 at 11:12 am
      Reply

      Probably not. It face different problem. Such as Clipboard logger.
      So start to type your super safe 112 length password manually. Only now you face Keyboard logger problem.

      1. Clairvaux said on January 6, 2017 at 1:32 pm
        Reply

        Kee Pass is protected against clipboard loggers. Also, the roof over your head could collapse when you’ve finished reading this, and kill you. It’s not unheard of.

  4. Mystique said on January 6, 2017 at 2:44 am
    Reply

    I don’t know if such an application exists in chrome (I doubt it) but in firefox I like to deploy an addon called Sticky fields which enables me to remember whatever I want and gives you an option to autofill it or (if I remember correctly) give you a drop box option to fill it with certain things with a few clicks, this is done case by case, wesbite by website, form by form, field by field.

    Its a brilliant tool and I doubt I could enjoy browsing without it, its highly tedious filling in forms, fields and various other things day in day out at the same place.

    I don’t know if this addon works with newer versions of firefox or will continue to work but I thought I would just throw it out there for people to try and appreciate as a safer alternative.

    I won’t put the link here just in case its not allowed but I’m sure you can find it on mozilla’s addon site.

  5. Clairvaux said on January 6, 2017 at 1:39 am
    Reply

    I’m very nervous when I see my user name and mail address popping up all by themselves on Firefox. Although I must say it’s a tremendous time-saver (on this site, for instance). I draw the line at passwords, though. I would never let a browser take care of my passwords, even through its dedicated function. Browsers are much too close to the wild, wild Internet. A dedicated password manager is required, in my opinion.

    Good to know Firefox can’t be abused through Autofill.

      1. Clairvaux said on January 6, 2017 at 1:27 pm
        Reply

        Yes, I know. I don’t do Lastpass. I don’t do the cloud, as a matter of fact. My passwords are encrypted on my desktop, in Kee Pass.

  6. A or B, not C. said on January 6, 2017 at 12:25 am
    Reply

    It is foolish n lazy to let yr browsers store yr passwords thru the Autofill feature, esp when u do online banking n shopping.

    1. Andrew said on January 6, 2017 at 1:27 am
      Reply

      Some people are just lazy, like people who doesn’t type complete words :)

      1. George P. Burdell said on January 6, 2017 at 7:51 pm
        Reply

        @Pants- Yes, you read it wrong, or else I did not express myself clearly enough. My thought is/was that months ago you were the target (not the source) of personal attacks by a third party – in other words, somebody attacked you in these pages – then you vanished. I thought you went somewhere where you would feel more welcome, although I can’t imagine where that would be, since Martin is such an accommodating host.

        Anyhow, good that you are speaking up again. Pungent is fine with me, as long as there is logic and fact underpinning the pungency.

      2. Pants said on January 6, 2017 at 4:40 pm
        Reply

        @George P. Burdell .. Thanks :) But I didn’t go anywhere… maybe I make less comments on current topics than I used to, besides, a lot of commenters already add more than I could, and I see no point in repeating info :)

        [Aside: I’m also confused, I thought you said my comments were pungent and that I made personal attacks on people. Maybe I read it wrong.]

      3. Tom Hawack said on January 6, 2017 at 2:17 pm
        Reply

        I don’t believe it’s laziness but neither do I believe it would be “in the evolutionary development of language” as George P. Burdell states it.

        Not laziness. It happens sometimes — very seldom — that the abbreviated-phonetic-sms style (whatever you call it) is longer than the academic-traditional-kitsch one (or whatever you call it as well).

        I’m wondering if the sms way of adding letters to make words to make sentences (alias a ‘language’) isn’t the expression of a trend to compress everything, because of time & space requirements. The planetary tempo has changed, all must be thought, communicated, performed quickly, always faster. A journalist requires a fast answer, even to complex questions, and interrupts the speaker if he/she hasn’t made his answer within thirty seconds. No time to breath and deep think, no time to wonder, to doubt, to think twice… nops, it’ll have to be here and there immediately if possible, anything longer will be at best tolerated…

        I’ll forget my objectivity and cry my sadness : this is mad. The process leading to expression (written or spoken) is complex. Bergson would say that “We necessarily think a a 3d universe and most often express that thought in 2d” (roughly translated) : flatten a hemisphere and you’ll have to cut to get it totally flat. In the same way a thought loses when expressed, most often. This is why a language is so important when it allows to reduce this 3d to 2d transition loss.

        SMS or not, I believe most of us use less and less words, hold these words with less and less grammar (which is so important to articulate correctly, not the thought but the way it is communicated hence understood). We use less thoughts, we analyze with fast thoughts most often corresponding to a leading blend of political correction and emotional hysteria.

        We are, my friends, in a commercial world, essentially.

      4. George P. Burdell said on January 6, 2017 at 1:22 pm
        Reply

        @Andrew – While I too find it jarring to read words whose spelling has been excessively truncated, such truncations are part of a long respected process in the evolutionary development of language.

        For example, the former “taximeter cabriolet” has become a “taxi”, or sometimes a “cab”. The former “pantaloons” have become “pants”, [Personal Aside: Welcome Back Pants, you were missed.]

        Other examples that made it into standard use and acceptance are an examination becoming an exam, a brassiere becoming a bra, and a veterinarian becoming a vet.

        While it is painful to observe a goofy looking language transition which may or may not stand the test of time, I think it does not necessarily evince laziness on the part of the writer. He or she may merely be a brave pioneer, guiding us through an uncertain future via the past hope of a brighter tomorrow.

        Cn u rd ths?

      5. A or B, not C. said on January 6, 2017 at 8:03 am
        Reply

        @ Andrew ……. Truly lazy people do not type… ( :
        ……. Incomplete words or abbreviations r a necessity for typing in smartphones, eg sms n chats. Wonder why some people r against it in cptrs. In the 1970s, cptr codes started with abbreviations/short-forms, eg exe(execute) n dll(dynamic link library) files.

  7. Guest703 said on January 5, 2017 at 11:17 pm
    Reply

    Yeah I’d never use auto form filling for my own data. But the data at work? Ain’t nobody got time for that – at work I auto-fill literally everything possible.

  8. Freddy said on January 5, 2017 at 11:16 pm
    Reply

    Yeah this has been an issue since circa 2002, but I do appreciate alert. It’s good to be reminded about why you shouldn’t do stuff. Plus there are brand new people now who don’t know anything.

    ;)

  9. Tom Hawack said on January 5, 2017 at 11:05 pm
    Reply

    I’ve always left aside form filling. Because I dislike personal information being kept by a browser and also because form filling is not, in my case, so frequent that proceeding manually would become tedious. Also the fact I may not give the same information to one site that I provide to another. Usually I provide correct identity only for commercial transactions and otherwise email address is always disposable hence different with each form.

    Here with Firefox, extracted from Pants’ (*) excellent user.js settings,

    // disable saving information entered in web forms AND the search bar
    user_pref(“browser.formfill.enable”, false);
    // disable saving form data on secure websites
    user_pref(“browser.formfill.saveHttpsForms”, false);
    // disable auto-filling username & password form fields
    user_pref(“signon.autofillForms”, false);

    Learning what is happening with Chrome, the article mentions only with Chrome at this time but an extra layer of caution doesn’t bother me, I’ll keep the above settings, more than ever.

    (*) : Pants, if you read me, my best wished for an imperial 2017, queen of a bohemian rhapsody :)

    1. Pants said on January 6, 2017 at 2:27 am
      Reply

      The “pants rhapsody” (Queen) has retired as has the “born to be pants” (Steppenwolf). The next version code name is well underway, including a special service workers section for you:
      * version: 0.11 : Pants Konami
      * “Up, Up, Pants, Pants, Left, Right, Left, Right, B, A, Start..”

      1. Tom Hawack said on January 6, 2017 at 10:41 am
        Reply

        For me? Thanks! I promise I’ll share :)
        Looking forwards for user.js codename Pants_Konami

  10. wonton said on January 5, 2017 at 10:45 pm
    Reply

    this is not new has been there since feature first added in chrome firefox

    1. Heimen Stoffels said on January 7, 2017 at 10:36 am
      Reply

      I guess you didn’t read the full article? ‘Cause Martin literally wrote what you said:

      “It is interesting to note that this is not a new issue, but one that has been mentioned since at least 2010. A Chromium bug was reported in mid 2012, but it has not found any love yet.”

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.