Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Mozilla Chrome Opera Privacy Safari Security The Internet

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 112

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

This discussion has been archived. No new comments can be posted.

Browser Autofill Profiles Can Be Abused For Phishing Attacks

Comments Filter:
  • Surely just only auto-fill visible fields?

    • by Anonymous Coward

      Determining visibility of an element is exceptionally hard in a browser. There can be overlays, transparancy, dynamic elements, or simply making elements visible for a split second in a corner, for autofill to work, then capturing the data and removing the elements. I'm sure we can come up with more creative workarounds. Supposedly Firefox works around the issue by prompting the user which fields to autofill.

    • Re:Obvious solution (Score:4, Informative)

      by Shane_Optima ( 4414539 ) on Monday January 09, 2017 @04:24AM (#53632049) Journal

      Surely just only auto-fill visible fields?

      That sounds tricky as hell... how many different ways of hiding the fields are there? They could be tiny, they could be behind another element, they could be unlabeled with white text on a white background, they could be at the bottom of the page past the point where most people will bother scrolling, etc.

      If autofill absolutely must be used, the correct way to do this would be to warn the user with a popup that the website is requesting information XYZ, not unlike how they currently have a popup saying that a website is requesting your detailed location information.

      Also, I'm astonished this attack hasn't popped up before now.

      • The browser should place an "autofill" button on the toolbar or someplace off limits from any web site manipulation.

        This button should open a dialog box listing all the fields to be filled with the data to be filled, with checkboxes to enable/disable filling certain fields and to edit the data that is submitted.

        This would allow the user to be certain as to what form fields were filled and which ones weren't in a UI environment not controlled/manipulated by the web site.

        Perhaps they could even extend it to c

        • It seems like the best solution in this case is to simply admit defeat -- that autofill profiles aren't a good idea -- and remove the feature. Your workaround, and others proposed, suffer from the weakness that they're more complicated and higher-risk than simply typing the information into the appropriate fields, the way God intended.

          • by swb ( 14022 )

            I think the reality is that there's too many forms which need filling out too often and auto-fill isn't going away, ever, so the answer is how to make it safer and more transparent to the user what info is being filled in.

            At least with a user-initiated form-fill action supported with a confirmation dialog box with the fields & data to be filled prevents the most common mishaps of existing form-fill -- filling in the wrong data into the wrong fields or getting hidden fields filled with data they shouldn'

      • by Sigma 7 ( 266129 )

        If autofill absolutely must be used, the correct way to do this would be to warn the user with a popup that the website is requesting information XYZ

        Why must everything be a popup warning? You can instead have this in a right-click menu, or simply have the content available if the user presses a down-arrow in the relevant field.

        Also, I'm astonished this attack hasn't popped up before now.

        It first happened on MySpace, because that site allowed creating custom forms that tricked certain browsers into provid

        • You can instead have this in a right-click menu, or simply have the content available if the user presses a down-arrow in the relevant field.

          A lot of people are suggesting solutions in this vein, which is changing the nature of autofill by making it more cumbersome to use. I don't use it myself and don't plan to, but I suspect that one of the reasons why some people do like it is the ease of use. The popup, problematic as it is, is the one way to do this with a minimum of extra fuss. If you want to argue people are going to just click though it, well, there's no saving those people anyway.

          • by Sigma 7 ( 266129 )

            Popups cause unnecessary extra fuss in the event that you don't want to use autofill, no different than Clippy saying "It looks like you are writing a letter", and no different than popups from ad networks asking you to try out the poop-providing-penis-pills.

            Each time I restart Firefox, I get a popup asking me to enter the master password for saved logins. Since this popup is window modal, it slows down the process by claiming that logging into a site that I've already logged into is more important than ac

    • Except for the many website which hide field for aesthetic reasons which then come into view as you fill out other ones.

      But hey I'm all for killing that stupid practice.

  • by Anonymous Coward

    Come on, folks. It's obvious that browsers by now are the primary vulnerability our there (except perhaps the IOThingies, which are even worse).

    A huge, complex piece of software, with several interpreters built in, ready to execute whatever they hoover up on the 'nets, with no clear business model (do they belong to the users or to the advertising industry? Most of the fat money flowing in the general browser's direction comes from... you guessed it; and these days money "means" ownership, alas) and with fu

  • I don't understand people who even save passwords, let alone full profiles of themselves.
    • I don't understand people who even save passwords, let alone full profiles of themselves.

      Saving passwords works separately and differently than form autofill. I find it useful for shit sites (ie, 95% of all passwords) -- and if you can get them if you pwn my browser, oh well.

    • I do save passwords, but in a separate vault. I pick them up (copy) there and paste them when needed.
      My 'vault' is a VM with no internet access under QubesOS installed on an encrypted HD.
      Of course there are backups on USB sticks, encrypted.
    • Well, Ideally you would have a different password for every site you log into. Some sites store the password or some way the current password can be recovered, so that if they get hacked or something the attacker will try it on other sites. You can try to remember them all, but I prefer to keep them in a password protected cache that I remember the password to and don't save.
      • by know1 ( 854868 )
        Still stupid. I have seperate passwords for all the sites/devices I own. The trick to remembering them is to have a system - so if you forget it you can work out what the system is depending on the site. Don't do something stupid like have the website name as the password though, obviously...and I can't tell you my system because then it would be compromised. Have a think though, and I'm sure you could come up with something.
        • The trick to remembering them is to have a system

          On problem with systems is the wide variety of disallowed / allowed / required characters in passwords for various sites ("minimum of eight characters, at least one lower case, one uppper case, and one digit (but we won't accept puncuation marks and don't say that)"), in rulesets that are only displayed when you set the password, not when you enter it.

          • by mark-t ( 151149 )
            Is there some reason you can't be bothered to write down the ruleset if you think you wouldn't remember it?
            • My typing isn't perfect and it would be frustrating attempting to type the password in over and over again for one.
            • Is there some reason you can't be bothered to write down the ruleset if you think you wouldn't remember it?

              You're kidding, right? Writing down the rule set would be writing down ALL of my passwords, past, present, and future. B-b

              But my point was that:
              - The variability of "password quality" rules means the ruelset has to be complex enough to handle different cases for sites with different rulesets.
              - The lack of display of the site's password quality rules at login means a password generatio

              • by mark-t ( 151149 )
                How does writing down the ruleset that a site requires, which is information that you get when you first create the password, allow anyone to guess your passwords? This is information that anyone who was setting up a password on that site would already know anyways, or at least be able to trivially get. You would be no more compromising your own passwords with such information than you would be compromising everybody else's.
  • Should be pretty easy to program this function properly.
    How about, for example, making sure the filled in elements are 100% visible to the user?

  • by Actually, I do RTFA ( 1058596 ) on Monday January 09, 2017 @04:19AM (#53632035)

    HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some colorscheme A/B tested to hell and back to try to trick me into clicking the desired button.

    • HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some color scheme A/B tested to hell and back to try to trick me into clicking the desired button.

      The solution to your problem is this great browser calld Lynx. Google it!

      • Unfortunately many sites don't render well in Lynx. I hope that as the HTML standards evolve Lynx will work better. Also there isn't as much active Lynx development and, sadly, it has it's own security holes ;(
    • Letting it get crufted up with instructions on how to make it look pretty was a horrible idea

      Sure if you wanted the internet to be DoA as a publishing platform it was a horrible idea. HTML was designed to present some very basic information. We've come a long way from the original design intent from HTML.

  • This Kills Autofill (Score:5, Interesting)

    by jaa101 ( 627731 ) on Monday January 09, 2017 @05:41AM (#53632235)

    The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.

    • The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.

      Perhaps the only responsible action intelligent people should take is to leave the features intact (the lazy masses will demand this anyway), and allow the idiots who favor convenience over privacy to learn their own lessons the hard way.

      Wisdom is a great teacher, but ignorance often demands Experience to be their guide in life.

    • by samjam ( 256347 )

      Do you REALLY think that the popup will reduce the convenience MORE than REMOVING THE FEATURE ENTIRELY?

      • by jaa101 ( 627731 )

        No, obviously not; that's why I listed multiple reasons why autofill has to go. The big one is that people will just click-through without understanding.

    • by AmiMoJo ( 196126 )

      It would be better for everyone if there was some standard way for web sites to request certain personal information that is necessary for online shopping and the like. Easier for users to have a consistent UI instead of every site using a different form, and better for security as the data can be better controlled.

    • by tlhIngan ( 30335 )

      The only responsible action for the browser companies to do is to kill off autofill. There's no reliable way for the browser to be sure the user can see which fields have been autofilled. Any attempt to popup and warn the user is going to be annoying, reduce the convenience of the feature, be confusing and people will just click-through 99% of the time anyway. This is why we can't have nice things.

      Or how about simply modifying the browser to only autofill fields that are visible when submitted? Chrome highl

    • Of all the items the hidden autofill can access, "phone" is a little annoying. But not that much. I can pretty easily now block calls and span texts.

      It's not like it is auto-filling CC details for example. That is triggered separately from address data.

      Are you worried someone is going to send you a catalog you did not ask for? Welcome to the party pal.

  • by Anonymous Coward

    I never use autofill and I turn it off whenever possible. It is the fear of exactly the same kind of shit that keeps me away from it.

    Basically, if the browser knows about your identifying information, you should assume an attacker knows already.

  • I can't be the only one who has disabled auto-fill from day 1 for precisely this reason, am I?

    Security isn't hard if you think about it during the design stage and you're willing to scrap designs that are inherently insecure, such as automatically sending personal information to random web sites.

Technology is dominated by those who manage what they do not understand.

Working...