vissha Posted January 6, 2017 Share Posted January 6, 2017 Browser Autofill Data May Be Phished Data that you have saved as so-called Autofill data in your web browser of choice may be phished by sites using hidden form fields. Most modern web browsers support comfortable features like auto-filling forms on sites using data that you have entered in the past. Instead of having to enter your name, email address or street address whenever you sign up for a new account for instance, you'd fill out the data once only and have the browser fill out the fields for you any time they are requested afterwards. But autofill can also be a privacy issue. Imagine a site requesting that you enter your name and email address on a page. You would probably assume that this is the only data it requests, and that your browser will only fill out those fields and nothing else. Watch what happens when the developer of a site adds hidden fields to a page. Note that hidden in this regard means visible but drawn outside the visible screen. The browser may fill out fields that you don't see but are there. As you can see, this may include personal data without you being aware that the data is submitted to the site. While you could analyze any page's source code before submitting anything, doing so is highly impracticable. You can download the example index.html file from GitHub. Please note that this appears to work in Chrome but not in Firefox at the time of writing. It is likely that Chrome-based browsers will behave the same. Chrome will only fill out the following information by default: name, organization, street address, state, province, zip, country, phone number and email address. Note that you may add other date, credit cards for instance, to autofill. Since there is no way of stopping this from the user's end, it is best right now to disable autofill until the issue gets fixed. It is interesting to note that this is not a new issue, but one that has been mentioned since at least 2010. A Chromium bug was reported in mid 2012, but it has not found any love yet. Disable autofill in Chrome You can disable Google Chrome's autofill functionality in the following way: Load chrome://settings/ in the web browser's address bar. Click on "show advanced settings" at the end of the page. Scroll down to the "passwords and forms" section. Remove the checkmark from "Enable Autofill to fill out web forms in a single click". Mozilla Firefox does not seem to be affected by this. You can find out about disabling autofill in Firefox on Mozilla's Support website. Closing Words There is the question whether browser add-ons that support automatic form filling may leak data to sites that use hidden form fields as well. I did not test this, but it would be interesting to find out. Source Link to comment Share on other sites More sharing options...
straycat19 Posted January 6, 2017 Share Posted January 6, 2017 Anything that shortcuts your manually inputting data, logins, passwords, etc is a potential security problem. Autodata is so easy to grab it is really laughable. Hidden form fields can cause the data to be filled in and sent to the site owner or to whomever has gained access to a site to change the webpages so they grab the data. I have never, nor will I ever, use any type of autofill, autodata, keep my site login / password or anything else because I am too lazy to type it in. Any site I am on that offers dual authentication I sign up for, so not only do I type in my login and password, but I have to type in a code sent to my phone. It is amazing the number of people who profess to be concerned about security and then do the exact things that make them unsecure. Link to comment Share on other sites More sharing options...
WALLONN7 Posted January 6, 2017 Share Posted January 6, 2017 This feature is disabled on every machine on which I do maintenance. Unfortunately, customers often ignore my security guidelines and install all sorts of things, which makes my work very feasible, since they are always coming back... Sometimes I consider restricting their control over their machines, but it would not be educational to deprive them of occasional headaches... Link to comment Share on other sites More sharing options...
pc71520 Posted January 6, 2017 Share Posted January 6, 2017 Never used Autofill, too. Link to comment Share on other sites More sharing options...
SPECTRUM Posted January 7, 2017 Share Posted January 7, 2017 I always disable Autofill and even I don't use Chrome or anything related with that. Link to comment Share on other sites More sharing options...
nIGHT Posted January 8, 2017 Share Posted January 8, 2017 Good article to educate the masses. Never use autofill feature of your browser. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.