Beware of Browser Autofill and Password Managers - They Can Leak Your Personal Data
- Firefox is currently secure against this attack
- Information for hidden boxes can be retrieved from autofill system
- Chrome has the option switched on by default
We all like to use the autofill and built-in password manager features offered by Internet browsers as well as some third-party password managers in order to save time and avoid the trouble of remembering dozens of credentials. However, a new phishing attack might make you think twice before using the feature again. The phishing attack, discovered by a Finnish Web developer and hacker, tricks browsers as well as password managers into giving away users' credentials using a fairly simple trick.
Finnish Web developer and hacker Viljami Kuosmanen has found that Google's Chrome, Apple's Safari, as well as Opera, and password manager app LastPass, can all be tricked into leaking a user's personal information through their profile-based autofill systems, reports The Guardian. Kuosmanen discovered that whenever a user tries to fill up a form on the webpage, the autofill systems fill up the boxes even if they are not visible on the page.
This is why I don't like autofill in web forms. #phishing #security #infosec pic.twitter.com/mVIZD2RpJ3
This effectively means that while filling up the forms, the autofill system can potentially give away users' sensitive information if they confirm the autofill - even if only for a few visible fields. Chrome browser's autofill option is switched on by default and stores information such as email addresses, phone numbers, credit card information etc., as pointed out in the report.
Interestingly, Kuosmanen has also made a website to demonstrate how the process works. The webpage asks users to write their name and email address and has the boxes for mobile number and address hidden from plain site - the browser then proceeds to autofill this additional information without knowledge of the user.
As Firefox browser autofills each field individually, it is protected against this kind of an attack but the company is apparently working on a multi-field autofill system as well.
In order to ensure protection against such a phishing attack, users are advised to switch off the features from their browser
For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.