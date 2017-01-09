Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 12
An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.
Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.
Best thing would make them autofillable with a browser command that javascript and such cant use.
How exactly would that even solve the issue? As soon as the user hits "submit", the data is submitted. ZERO JavaScript required for this particular phishing attack as it is already.
Surely just only auto-fill visible fields?
I don't understand people who even save passwords, let alone full profiles of themselves.
Saving passwords works separately and differently than form autofill. I find it useful for shit sites (ie, 95% of all passwords) -- and if you can get them if you pwn my browser, oh well.
Should be pretty easy to program this function properly.
How about, for example, making sure the filled in elements are 100% visible to the user?
This is already easily broken, though. If you're only doing UI overlays on the Z axis as close to the user as possible, just fix position of the element outside of the view frame, such as top:-10000px
A better solution would be to list all fields which will receive input data. Have the browser list out every single field. Inform the user BEFORE the action is taken.