This Simple Phishing Attack Tricks Users into Leaking Personal Details


Filling out web forms is a hassle, which is why browsers offer you the convenience of auto-filling information for you. But, this seemingly innocent 'Autofill' feature could be giving away your private information to hackers using "hidden" text boxes, in a new phishing attack.

Browser autofill used in a new phishing attack

Finnish web developer and white hat hacker Viljami Kuosmanen discovered that several web browsers, including Google's Chrome, Apple's Safari and Opera, along with some password managers, plugins, and utilities, including LastPass, can be tricked into giving away user's information.

How Google Made Sure None of Its 85,000+ Employee Get Phished

The phishing attack is simple. When a user tries to fill in information in text boxes, the Autofill feature fills all the other text boxes based on your previous entries, even when those boxes are not visible on the page. In a demo, Kuosmanen showed that a simple online web form with just two visible fields of Name and Email could be designed to contain hidden fields, which are then auto-filled, sending your address, phone number, organization, city, and country details to the attacker.

Kuosmanen said he could further make the attack even worse by adding more sensitive fields out of sight, including credit card number and CVV code. It should be noted that Chrome sends warnings when auto-filling financial data forms on sites that do not offer HTTPS.

It essentially means that a hacker/phisher could design a web form and have you inadvertently send all the information that is stored in your browser. Chrome's Auto-fill system, for example, stores data on phone numbers, addresses, email address, credit card information, date of birth, and other similar data.

While Safari and Chrome both suffer from this phishing attack, Mozilla's Firefox is not vulnerable to this attack strategy. Firefox doesn't offer multi-box autofill system, which means it cannot be tricked with information being sent using hidden fields. However, Firefox too is currently developing a more complete autofill system.

You Can No Longer Install Chrome Extensions from Websites as Google Is Killing the Option of “Inline Installation”

How to protect yourself from this autofill phishing attack

Well, except for disabling or better managing the feature, there's no other way to ensure your data isn't being leaked out by your browser. You can protect yourself from this autofill phishing attack by disabling the autofill feature offered by your browser or extension/plugin. Here's how to do it with Chrome, Safari, and Opera.

  • Safari: Click on Safari on the top left > Preferences Autofill > uncheck all or some boxes.
  • Chrome: Click on the vertical three dots to get to Settings > click on Show advanced settings at the bottom to reveal more options. Under Passwords and forms, uncheck Auto-fill box or go to manage for more controls.
  • Opera: go to Settings > uncheck Autofill.

You can also test what hidden data your browser and extension autofill feature is sending using this proof of concept site.