Warning: Chrome, Opera and Safari's auto form fillers make it easy to steal personal data
We're all looking for ways to save time and effort, so it's hardly surprising that some web browsers offer a feature that automatically fills in online forms with commonly requested personal information. While incredibly useful, the feature can also be exploited to extract data a user might not want to share with a particular website.
Chrome, Opera and Safari all offer to save and automatically fill in details such as name, address, phone number, and so on, and users are ordinarily only aware of the data which is obviously filled in on their behalf. But a web developer shows how it is possible -- and very, very easy -- to use hidden fields to secretly gather all of the information saved in an autofill profile.
Viljami Kuosmanen demonstrates how a specially-crafted website can be used to harvest information. Inviting users to fill in just their name and email address, it takes advantage of the fact that many people will start to type their name and then click the autofill suggestion when it appears. While the user may believe that this is only automatically filling in the email field for them, hidden fields can be used to collect addresses, phone numbers, and other details.
Earlier this month, self-described 'hacker' Kuosmanen shared a tweet showing how the browser autofill feature can leak information:
— Viljami Kuosmanen ⭐ (@anttiviljami) January 4, 2017
A similar technique can be used to gather information from tools such as LastPass and browser extensions that store user data.
The simplicity of the method is breath-taking, increasing the likelihood that it will be used for crude, brute force phishing attacks.
Speaking to Bleeping Computer, Kuosmanen said:
I had known about this issue for a long time. A similar thing (honeypots) is used to trap bots in forms to avoid spam. This is the same idea, just trap real browser users instead of bots. The idea for the demo came after I was annoyed about Chrome autofilling wrong fields on an ecommerce site. I then went on to see which details Chrome had saved for autofill about me and was surprised about how much information is available.
The advice? Turn off autofill if you want to be completely sure of the safety of your personal data.