Browser auto-fill is one of the most convenient modern Internet features. Popular browsers like Google Chrome, Apple Safari, Microsoft Edge, and Mozilla Firefox save computer users time by automatically populating form fields and login requests with information that has been previously entered before.
But the problem, as revealed last month by Finnish web developer and hacker Viljami Kuosmanen, is that new phishing attacks are allowing hackers to steal personal information by placing invisible form fields on illicit websites.
A user may enter only one or two lines of information—say a name and email address required to unsubscribe from what looks like a spam email—while the rest of his or her auto-fill profile information is entered in boxes that the user can’t see or confirm.
If the computer user has an auto-fill profile set up in a browser, auto-filling the two visible form fields will automatically populate the six hidden fields as well. This presents a simple method for hackers and cybercriminals to collect a wide array of personal information about users, ranging from home addresses to phone numbers and even credit card numbers if that information is saved by browser auto-fill.
True to most phishing attacks, these malicious websites are visited when a computer user inadvertently clicks on an unfamiliar link in a spam email—or clicks the “unsubscribe” button at the bottom of a message you no longer want to receive.
“I had known about this issue for a long time,” Kuosmanen told Bleeping Computer last month. “A similar thing is used to trap bots in forms to avoid spam. This is the same idea, just trap real browser users instead of bots.”
Kuosmanen says he was motivated to dig deeper into auto-fill’s potential for hacking when he noticed Google Chrome entering the wrong information on e-commerce sites. “I went on to see which details Chrome had saved for auto-fill about me and was surprised about how much information is available,” Kuosmanen added. He then created a proof-of-concept website that demonstrates how hackers can trick users into sharing the data that they have stored.
The bad news? Browsers like Chrome and Safari often enable auto-fill automatically, presumably to save computer users time. The good news? It can be easily deactivated, usually by visiting your browser’s Preferences or Settings menu and clicking “Disable” next to the Auto-Fill feature. For now, Firefox and Microsoft Edge appear to be the safest browsers to use since they don’t support multi-field auto-fill.
Hopefully, Google, Apple, and other companies will soon develop a secure fix for this auto-fill vulnerability. But until then, this new hacking tactic is just one more in a long line of issues that must be addressed with robust online security, including proactive maintenance and monitoring, reliable and remote data backup, and a multi-layered approach to keeping users safe from the most dangerous strains of malware, ransomware, email compromise, and other phishing attempts.
If you are not sure about how to turn off browser auto-fill—or whether your critical information is even stored in the first place—contact CMIT Solutions today. We worry about IT security so you don’t have to.