Browser Autofill Profiles Can Be Abused For Phishing Attacks

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

  • Surely just only auto-fill visible fields?

    • Re: (Score:1)

      by Anonymous Coward

      Determining visibility of an element is exceptionally hard in a browser. There can be overlays, transparancy, dynamic elements, or simply making elements visible for a split second in a corner, for autofill to work, then capturing the data and removing the elements. I'm sure we can come up with more creative workarounds. Supposedly Firefox works around the issue by prompting the user which fields to autofill.

    • Surely just only auto-fill visible fields?

      That sounds tricky as hell... how many different ways of hiding the fields are there? They could be tiny, they could be behind another element, they could be unlabeled with white text on a white background, they could be at the bottom of the page past the point where most people will bother scrolling, etc.

      If autofill absolutely must be used, the correct way to do this would be to warn the user with a popup that the website is requesting information XYZ, not unlike how they currently have a popup saying

  • I don't understand people who even save passwords, let alone full profiles of themselves.

    • I don't understand people who even save passwords, let alone full profiles of themselves.

      Saving passwords works separately and differently than form autofill. I find it useful for shit sites (ie, 95% of all passwords) -- and if you can get them if you pwn my browser, oh well.

  • Should be pretty easy to program this function properly.
    How about, for example, making sure the filled in elements are 100% visible to the user?

  • HTML was supposed to define a page semantically (e.g. header 1). Letting it get crufted up with instructions on how to make it look pretty was a horrible idea (albeit one that came early on). A form should look like a form. No, I don't need whatever new hotness some designer invented with some colorscheme A/B tested to hell and back to try to trick me into clicking the desired button.

